# Adding to VPC

FinOps Center S3, Lambda, and DynamoDB components like any other application via VPC Endpoints. 

New VPC

* 1 VPC, e.g. `10.0.0.0/16`
* At least **2 public** and **2 private** subnets across 2 AZs
* Internet Gateway attached
* NAT Gateway(s) in public subnets
* Route tables:
  * Public subnets → `0.0.0.0/0` via IGW
  * Private subnets → `0.0.0.0/0` via NAT

Attach FinOps Center Lambdas to the VPC

For each Lambda that should live “inside the VPC”:

 IAM for VPC attachment

Add the managed policy **`AWSLambdaVPCAccessExecutionRole`** to the Lambda execution role so Lambda can create Hyperplane ENIs

Attach Data

* **S3 Gateway** – for CUR 2.0, Cost Optimization Hub exports, Athena query results
* **Interface endpoints** (AWS PrivateLink) for:
  * `com.amazonaws.<region>.dynamodb`
  * `...sts`
  * `...logs` (if you want private delivery to CloudWatch Logs)
  * `...secretsmanager` / `...ssm` / `...lambda` as needed [AWS Documentation+1](https://docs.aws.amazon.com/lambda/latest/dg/lambda-managed-instances-networking.html?utm_source=chatgpt.com)

Attach security groups that allow inbound from `sg-finopscenter-lambda` (or ECS SG) on 443.