Connection timeout when calling AmazonGameLiftAsync.startMatchmakingAsync() (FlexMatch) from Lambda in VPC

Hi, I have set up an API Gateway URL to call a lambda function in my VPC which in turn attempts to start a matchmaking ticket with GameLift. The lambda function is called properly and log statements are visible up to the point where I call AmazonGameLiftAsync.startMatchmakingAsync(). The call hangs and eventually times out the lambda.

My Java code is below:

Player player = new Player().withPlayerId(request.playerId);

String ticketId = UUID.randomUUID().toString();
  
StartMatchmakingRequest startMatchmakingRequest = new StartMatchmakingRequest()
        .withConfigurationName("Random-Match-Config")
        .withTicketId(ticketId)
        .withPlayers(player);

logger.info("Calling startMatchmaking with ticketId=" + ticketId);
  
amazonGameLift.startMatchmakingAsync(startMatchmakingRequest);

I’ve added the following inline policy to the lambda via SAM, presumably ensuring that the lambda will have access to GameLift:

PollMatch:
  Type: AWS::Serverless::Function
  Properties:
    FunctionName: !Sub sss-${Environment}-PollMatch-v1
    Handler: com.submarinestandoff.v1.lambda.match.PollMatch::handleRequest
    Policies:
      - DynamoDBReadPolicy:
          TableName: !Ref TicketStatusTable
      - Statement: # https://docs.aws.amazon.com/gamelift/latest/developerguide/gamelift-iam-policy-examples.html
          - Sid: PlayerPermissionsForGameSessionMatchmaking
            Effect: Allow
            Action:
              - gamelift:StartMatchmaking
              - gamelift:DescribeMatchmaking
              - gamelift:StopMatchmaking
              - gamelift:AcceptMatch
              - gamelift:StartMatchBackfill
              - gamelift:DescribeGameSessions
            Resource: '*'

Any idea of what I could be doing wrong here?

Thanks in advance!

Well, it looks like things work if I don’t add the lambda to my private VPC–presumably because now it is in the lambda’s default VPC which has internet access (?). Ideally, I had wanted all of my lambdas to run inside my VPC where I would have easy access to Redis and any internal EC2 instances I have in there. I was able to connect to DynamoDB from lambdas in my VPC by creating a VPC Endpoint. Unfortunately, GameLift is not apparently a service you can create a VPC Endpoint for. So I’m guessing that my only option is setting up a NAT Gateway :person_shrugging: Would be nice if there was a way that didn’t create that extra expense.

My solution is to create my lambda–that hits the GameLift API for matchmaking–without specifying a VPC (ie. let it be created in whatever lambdas run in by default). This apparently allows me access to GameLift endpoints and DynamoDB which is all I am using for this purpose. Only lambdas that need access to internal resources (like my Redis cluster) run in my VPC which seems like common sense now that I’m typing it out. I also found this really good post on mixing VPC and non-VPC lambda functions: https://www.jeremydaly.com/mixing-vpc-and-non-vpc-lambda-functions-for-higher-performing-microservices/. Seems that using VPC lambda functions has a performance penalty when it comes to cold starts.