What is causing the issue?

By:
In: SAP-C01
Tagged:
With: 2 Comments
A company is migrating a subset of its application APIs from Amazon EC2 instances to run on a serverless infrastructure.The company has set up Amazon APIGateway, AWS Lambda, and Amazon DynamoDB for the new application.The primary responsibility of the Lambda function is to obtain data from a third-partySoftware as a Service (SaaS) provider.For consistency, the Lambda function is attached to the same virtual private cloud (VPC) as the original EC2 instances.Test users report an inability to use this newly moved functionality, and the company is receiving 5xx errors from API Gateway.Monitoring reports from the SaaS provider shows that the requests never made it to its systems.The company notices that Amazon CloudWatch Logs are being generated by the Lambda functions.When the same functionality is tested against the EC2 systems, it works as expected.

What is causing the issue?

Lambda is in a subnet that does not have a NAT gateway attached to it to connect to the SaaS provider.

The end-user application is misconfigured to continue using the endpoint backed by EC2 instances.

The throttle limit set on API Gateway is too low and the requests are not making their way through.

API Gateway does not have the necessary permissions to invoke Lambda.

Explanations:

Lambda functions in a VPC need a NAT gateway to access the internet for external requests. If the Lambda function is in a subnet without a NAT gateway, it cannot reach the SaaS provider, leading to 5xx errors since the requests never leave the VPC.

If the end-user application were misconfigured, it would affect all functionality tied to the endpoint, not just the new Lambda function. Since the same functionality works with EC2, the issue is more likely related to network configuration rather than application misconfiguration.

A throttle limit being too low would lead to rate-limiting errors (429), not 5xx errors. Since monitoring indicates that requests never reached the SaaS provider, this option does not explain the observed issue.

If API Gateway lacked permissions to invoke Lambda, it would result in authorization errors (403), not 5xx errors. The fact that CloudWatch logs are being generated suggests that API Gateway can invoke the Lambda function, ruling this option out.

2026-03-19

2 Comments

  1. Lawrence
    Author

    In my experience, the answer is:
    Lambda is in a subnet that does not have a NAT gateway attached to it to connect to the SaaS provider.

  2. Paul
    Author

    From what I’ve seen, the answer is:
    Lambda is in a subnet that does not have a NAT gateway attached to it to connect to the SaaS provider.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × four =