Adding to VPC

FinOps Center S3, Lambda, and DynamoDB components like any other application via VPC Endpoints.

New VPC

  • 1 VPC, e.g. 10.0.0.0/16

  • At least 2 public and 2 private subnets across 2 AZs

  • Internet Gateway attached

  • NAT Gateway(s) in public subnets

  • Route tables:

    • Public subnets → 0.0.0.0/0 via IGW

    • Private subnets → 0.0.0.0/0 via NAT

Attach FinOps Center Lambdas to the VPC

For each Lambda that should live “inside the VPC”:

IAM for VPC attachment

Add the managed policy AWSLambdaVPCAccessExecutionRole to the Lambda execution role so Lambda can create Hyperplane ENIs

Attach Data

  • S3 Gateway – for CUR 2.0, Cost Optimization Hub exports, Athena query results

  • Interface endpoints (AWS PrivateLink) for:

    • com.amazonaws.<region>.dynamodb

    • ...sts

    • ...logs (if you want private delivery to CloudWatch Logs)

    • ...secretsmanager / ...ssm / ...lambda as needed AWS Documentation+1

Attach security groups that allow inbound from sg-finopscenter-lambda (or ECS SG) on 443.

PreviousSolution ManagementNextFinOps Center Resources and Roles

Last updated