A lambda that does not have a VPC connection will be on the Internet and it will be assigned an arbitrary public IP address (obviously, from Amazon's registered IP addresses), which will not be a fixed address. Thus, it is almost impossible to whitelist that IP in your EC2 SG, since the next time Lambda spins IP, it can change and will not be predictable.
However, there is a way to partially restrict network access only to resources located in the VPC, including lambda channels (since the components will be assigned with internal IP addresses). Suppose you want the EC2 server to be accessible only from the vpc internal network, so you put it on the internal subnet without a public IP address assigned to it. Now you can configure SG on EC2 so that it accepts IP only from the CIDR range of your VPC's internal subnet. By associating Lambda with this VPC and placing it on a private subnet, Lambda will receive an arbitrary IP address from the internal CIDR range of your VPC, which obviously falls into the SG range already configured for your EC2 (if you have a lot of Lambda in parallel, just make sure that you have a sufficient number of IP addresses within your defined CIDR range).
If you want your components to communicate internally, you can also connect to the Internet, and you can add the NAT Gateway Routable to the IGW, and then add a routing rule to the internal subnets to point to the NAT gateway. Therefore, all of your component on the internal subnet will be assigned by routing tables pointing to NAT and then to the Internet.
Zoobin
source share