My SES account is out of sandbox. I am trying to send emails with SES using a Python lambda that is in a VPC. I know that the lambda being in a VPC is why I am having a task timeout when trying to run any boto3 SES SDK code. I spent hours researching this, trying different approaches. Note: I intend for this lambda to be invoked only through the Lambda console, not through API Gateway or another resource.
I have followed the steps in this article, which according to AWS should be enough: https://docs.aws.amazon.com/ses/latest/dg/send-email-set-up-vpc-endpoints.html
I assigned subnets to a VPC interface endpoint for the email.smtp service. For the VPC itself, one of the subnets is in an AZ not supported by SES, but I did not assign that subnet to the interface endpoint--I only assigned the other 3 subnets which are supported by SES. The EC2 instance I created was private (only having a private IPv4 address). I included a CIDR of the IPv4 address as the source for the endpoint's security group. With the restricted traffic for port 25, I am using port 587 in the security group's inbound rule. I have not included anything in terms of NAT gateway, Direct Connect, or other resources/services. I am still seeing a task timeout with my boto3 lambda for using SES.
I am not finding any specific guidance on how the route table should be configured for SES. The route table for the VPC has no explicit subnet associations. The subnets without explicit association are all four subnets for the VPC (including the one in an AZ not supported by SES)--I do not know if that matters based on what I shared in the first paragraph.
Is there something additional I need to cover?
Do I need to use special SMTP credentials when integrating with SES this way?
Are there any specific configurations needed in the route table to tie the VPC to SES?
Is there only one EC2 instance needed?
The interface endpoint you created is for the SES SMTP interface, because at this time SES does not support VPC endpoints for the SES API, only for the SMTP interface. You are using boto3 to try to send an email, but boto3 connects to the SES API, not the SMTP interface.
So, at this time, the only options for having a Lambda function inside a VPC that sends SES emails are:
or
I assume your Lambda function needs to also access something in the VPC, such as an RDS database. If that is not the case, then removing the Lambda function from the VPC entirely would be the appropriate resolution to this issue.