My goal was to create a secure AWS serverless application running inside a private network. I wanted AWS Lambda functions to communicate with DynamoDB without exposing anything to the public internet.
When I deployed my CloudFormation template, it kept failing. I spent hours reading docs, switching between examples, and wondering whether I needed a NAT Gateway, an Internet Gateway, or both.
After digging deeper, I realised something important:
I didn’t need an Internet Gateway at all.
I only needed a VPC Gateway Endpoint for DynamoDB.
That single change meant Lambda could talk to DynamoDB privately, inside the VPC, without any public route. No NAT costs. No public access. Fully secure.
This architecture follows AWS best practices for private serverless networking and costs nothing extra to operate.
Private doesn’t mean complicated — it means understanding the difference between
Gateway Endpoint and Internet Gateway.
The complete CloudFormation template and project files are available on my GitHub repository. You can explore the code, download it, clone it, or use it as a reference for your own private serverless architectures.