Enabling Lambda Vpc Internet Access
Stand up NAT Gateway routing so a VPC-attached Lambda can reach the public internet without giving the function a public IP.
Overview
Enabling Lambda VPC Internet Access is an agent skill for the Operate phase that guides NAT-based outbound internet setup for a Lambda function already in a VPC without public internet.
Install
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill enabling-lambda-vpc-internet-accessWhat is this skill?
- Parameter-first SOP: collects lambda_function_name and optional availability_zone upfront in one prompt
- Step 1 verifies required AWS/agent tools before any changes
- Explains why VPC Lambdas need NAT (no public IPs on ENIs)
- Supports direct input, file paths, URLs, and other parameter delivery methods
- Saves acquired inputs to a consistent location for multi-step execution
Adoption & trust: 914 installs on skills.sh; 819 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your Lambda runs in a private VPC subnet and cannot reach external APIs or services, and you are unsure which NAT and routing pieces to add safely.
Who is it for?
Solo builders or tiny teams operating serverless workers in VPCs that must call external HTTPS endpoints in production.
Skip if: Lambdas that only need VPC access to private RDS or internal services with no outbound internet requirement, or teams that already have a documented shared NAT pattern and only need a one-line route tweak.
When should I use this skill?
A Lambda function in a VPC subnet lacks internet access and you need NAT Gateway–based outbound routing.
What do I get? / Deliverables
After the SOP completes, the function’s subnet path should support controlled outbound internet via NAT Gateway-style infrastructure aligned to your Lambda’s AZ and naming inputs.
- Verified tool dependencies
- Documented NAT-oriented networking steps for the named Lambda
- Persisted parameter set for follow-on steps
Recommended Skills
Journey fit
Internet egress for Lambda in private subnets is a production infrastructure change, not a feature slice—canonical shelf is Operate → Infra. The SOP provisions NAT Gateway, subnets, and routing in AWS—classic run-the-platform networking work.
How it compares
Use instead of unstructured chat that skips dependency verification and single-shot parameter collection for AWS networking changes.
Common Questions / FAQ
Who is enabling-lambda-vpc-internet-access for?
It is for developers and operators running AWS Lambda inside a VPC who need reliable outbound internet without assigning public IPs to the function.
When should I use enabling-lambda-vpc-internet-access?
Use it during Operate → Infra when a deployed or soon-to-deploy Lambda in a private subnet cannot reach the internet; also relevant when debugging connectivity failures after moving a function into a VPC during Build integrations work.
Is enabling-lambda-vpc-internet-access safe to install?
Review the Security Audits panel on this Prism page and treat any skill that drives AWS networking changes as high-impact—confirm IAM scope, change windows, and rollback before applying in production.
SKILL.md
READMESKILL.md - Enabling Lambda Vpc Internet Access
# Lambda VPC Internet Access Setup ## Overview This SOP guides you through enabling internet access for a Lambda function that currently exists in a VPC subnet without internet access. Lambda functions in VPC cannot receive public IP addresses, so the only way to provide internet access is through NAT Gateway infrastructure that routes traffic from private subnets to the internet. ## Parameters - **lambda_function_name** (required): The name or ARN of the Lambda function that needs internet access - **availability_zone** (optional): Specific AZ for resource creation, if not provided will use the AZ of existing Lambda subnets **Constraints for parameter acquisition:** - You MUST ask for all required parameters upfront in a single prompt rather than one at a time - You MUST support multiple input methods including: - Direct input: Text provided directly in the conversation - File path: Path to a local file - URL: Link to an internal resource - Other methods: You SHOULD be open to other ways the user might want to provide the data - You MUST use appropriate tools to access content based on the input method - You MUST confirm successful acquisition of all parameters before proceeding - You SHOULD save any acquired data to a consistent location for use in subsequent steps ## Steps ### 1. Verify Dependencies Check for required tools and warn the user if any are missing. **Constraints:** - You MUST verify the following tools are available in your context: - call_aws - You MUST ONLY check for tool existence and MUST NOT attempt to run the tools because running tools during verification could cause unintended side effects, consume resources unnecessarily, or trigger actions before the user is ready - You MUST inform the user about any missing tools with a clear message - You MUST ask if the user wants to proceed anyway despite missing tools - You MUST respect the user's decision to proceed or abort ### 2. Analyze Current Lambda Configuration Retrieve and analyze the current Lambda function configuration to understand its VPC setup. **Constraints:** - You MUST retrieve the Lambda function configuration using AWS CLI - You MUST identify the current subnet IDs and security group IDs - You MUST determine if the current subnets are private or public - You MUST check the route tables associated with current subnets - You MUST save the current configuration details for reference ``` # Get Lambda function configuration aws lambda get-function --function-name <lambda_function_name> # Check subnet details aws ec2 describe-subnets --subnet-ids <subnet_id> # Check route tables for the subnet aws ec2 describe-route-tables --filters "Name=association.subnet-id,Values=<subnet_id>" ``` ### 3. Analyze VPC Network Infrastructure Examine the VPC's current networking setup to determine what infrastructure needs to be created. **Constraints:** - You MUST check for existing Internet Gateway attached to the VPC - You MUST identify existing public and private subnets - You MUST examine existing NAT Gateways in the VPC - You MUST analyze route tables and their associations - You MUST determine the most appropriate approach based on existing infrastructure ``` # Check all route tables in VPC aws ec2 describe-route-tables --filters "Name=vpc-id,Values=<vpc_id>" # Check all subnets in VPC aws ec2 describe-subnets --filters "Name=vpc-id,Values=<vpc_id>" # Check for existing Internet Gateway aws ec2 describe-internet-gateways --filters "Name=attachment.vpc-id,Values=<vpc_id>" # Check for existing NAT Gateways aws ec2 describe-nat-gateways --filter "Name=vpc-id,Values=<vpc_id>" ``` ### 4. Plan NAT Gateway Implementation Plan the NAT Gateway setup based on the VPC analysis. **Constraints:** - You MUST determine the target availability zone for NAT Gateway placement - You MUST identify if a public subnet exists in the target AZ or needs to be created - You MUST check if an Elastic IP is available or needs to be allocated - You M