Lambda VPC cold starts are fixed — and most teams do not know it. The original 10-second cold start from ENI creation was solved in 2019 with Hyperplane network interfaces. But specific misconfigurations still restore the old penalty. Here is what causes VPC cold start overhead in 2024 and how to verify you are getting the fixed behavior.
⚡ TL;DR: Hyperplane ENIs eliminated the 10-second VPC cold start. Remaining overhead is 100-400ms from DNS and security group evaluation. Use 2+ subnets in different AZs, create VPC Endpoints for DynamoDB/S3/SQS, and avoid custom DNS resolvers. Only put Lambda in VPC when it needs VPC resources.
Why VPC cold starts were slow — and why they are not anymore
# Old behavior (pre-2019): Lambda created a new ENI per cold start
# ENI creation = 8-10 seconds — serial, expensive, per-function
# New behavior (Hyperplane ENIs):
# Lambda maintains pre-created ENI pool per subnet
# Cold start = attach existing ENI = 100-400ms
# Verify Hyperplane ENIs are being used:
aws ec2 describe-network-interfaces \
--filters Name=description,Values="AWS Lambda VPC ENI*" \
--query "NetworkInterfaces[*].[Description,Status]"
# Hyperplane ENIs show "AWS Lambda VPC ENI-Hyperplane" in descriptionCorrect VPC configuration
# Minimum correct VPC config:
# - 2+ subnets in different AZs (distributes ENI pool)
# - Security group with egress-only rules
# - Subnets must be /24 or larger (small subnets exhaust ENI pool)
# SAM example:
VpcConfig:
SubnetIds:
- subnet-aaaaa # us-east-1a
- subnet-bbbbb # us-east-1b
SecurityGroupIds:
- sg-lambda # Egress: allow all; No ingress rules neededReplace NAT Gateway with VPC Endpoints
# Lambda in VPC has no internet access by default
# NAT Gateway costs $32-64/month per AZ
# VPC Endpoints for AWS services (much cheaper):
# Gateway endpoints (FREE): DynamoDB, S3
# Interface endpoints (~$7/month): SQS, SSM, Secrets Manager, STS
# Create Gateway endpoints (free):
aws ec2 create-vpc-endpoint \
--vpc-id vpc-xxxxx \
--service-name com.amazonaws.us-east-1.dynamodb \
--route-table-ids rtb-xxxxx
# If Lambda only needs RDS + DynamoDB + SQS:
# No NAT Gateway needed at all - saves $32-64/monthVPC Lambda performance checklist
- ✅ 2+ subnets in different AZs for Hyperplane ENI pool
- ✅ Use /24 or larger subnets
- ✅ Create free Gateway VPC Endpoints for DynamoDB and S3
- ✅ Use Interface Endpoints for SQS, SSM, Secrets Manager
- ✅ Minimal security group rules (each rule adds evaluation time)
- ❌ Do not put Lambda in VPC unless it actually needs VPC resources
- ❌ Do not use custom DNS resolvers — adds latency to every DNS lookup
- ❌ Do not use NAT Gateway if VPC Endpoints can replace it
Lambda in VPC most commonly accesses RDS — pair this with the PostgreSQL query optimization guide so the database layer is not the new bottleneck. For overall cold start strategy, the main cold start guide covers non-VPC optimizations. Official reference: Lambda VPC documentation.
Master AWS Lambda
→ AWS Solutions Architect Course on Udemy — The most comprehensive AWS course covering Lambda, serverless patterns, and production architecture.
→ AWS Certified Solutions Architect Study Guide — Deep Lambda chapter covering cold starts, VPC, layers, and SnapStart.
Sponsored links. We may earn a commission at no extra cost to you.
Discover more from CheatCoders
Subscribe to get the latest posts sent to your email.
