As a junior data engineer, I’ve been working on a solo project to strengthen my skills and build my portfolio. But recently, I hit a wall while trying to get resources in a private VPC to reach AWS services.
My Lambda function needs to access the SSM (and KMS) APIs to store my database password securely. The recommended way to do this is by using VPC private endpoints, but they come with a hefty price tag – $14/month for two endpoints. As a solo developer on a tight budget, that’s a significant cost for such a small necessity in my project.
I’ve been searching for a solution that won’t break the bank. One option I considered is the lambda-to-lambda pattern, where a public lambda calls the private lambda. But I’m afraid it won’t scale and will cause problems later if I use this pattern every time I have this issue.
## The Problem with VPC Endpoints
VPC endpoints are billed per endpoint, per AZ, per hour. For a small project like mine, this can add up quickly. And it’s not just the cost – it’s also the complexity of managing multiple endpoints.
## Is There a Better Way?
So, is there a way to access AWS SSM from a private VPC Lambda without using VPC endpoints? The answer is yes, but it requires some creative problem-solving.
One solution is to use an EC2 instance as a proxy to access the SSM API. This way, you can avoid the hourly billing of VPC endpoints and only pay for the EC2 instance.
Another solution is to use AWS CloudFormation to create a custom resource that accesses the SSM API on behalf of your Lambda function. This way, you can avoid the need for VPC endpoints altogether.
## Conclusion
Accessing AWS SSM from a private VPC Lambda doesn’t have to break the bank. With a little creativity and problem-solving, you can find a solution that fits your budget and meets your needs.
So, if you’re facing a similar challenge, don’t give up. Keep searching, and you’ll find a way to make it work.
—
*Further reading: [AWS SSM Pricing](https://aws.amazon.com/ssm/pricing/)*