From 3cf6c95fe44ee304ce96826b9cab656b32433598 Mon Sep 17 00:00:00 2001
From: Mirek Svoboda <7804468+GoodMirek@users.noreply.github.com>
Date: Mon, 24 May 2021 21:42:16 +0200
Subject: [PATCH 1/2] Add VPC endpoints as alternative to NAT gateway

Error messages in Lambda console indicate that it is possible to use AWS VPC Endpoints for LAmbda and STS services, instead of NAT gateway. It indeed works, but this alternative was not documented so far.
---
 doc_source/services-msk-topic-add.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc_source/services-msk-topic-add.md b/doc_source/services-msk-topic-add.md
index 87d49a38..94d769a9 100644
--- a/doc_source/services-msk-topic-add.md
+++ b/doc_source/services-msk-topic-add.md
@@ -12,6 +12,7 @@ This section describes how to add your Kafka cluster and topic as a function tri
 
 To get Apache Kafka records from Amazon MSK brokers, Lambda must have access to the Amazon Virtual Private Cloud \(Amazon VPC\) resources associated with your MSK cluster\. To meet Amazon VPC access requirements, we recommend:
 + Configuring one NAT gateway per public subnet\. For more information, see [Internet and service access for VPC\-connected functions](configuration-vpc.md#vpc-internet)\.
++ Alternatively, instead of NAT gateway, deploy VPC Endpoints (PrivateLink) for Lambda and STS services.
 
 Your Amazon VPC security groups must be configured with the following rules \(at minimum\):
 + Inbound rules – Allow all traffic on all ports for the security group specified as your event source\.
@@ -56,4 +57,4 @@ The following example uses the [https://awscli.amazonaws.com/v2/documentation/ap
 
 ```
 aws lambda get-event-source-mapping --uuid 6d9bce8e-836b-442c-8070-74e77903c815
-```
\ No newline at end of file
+```

From 3cc2149acd68f8497998312af2307b9c834858b7 Mon Sep 17 00:00:00 2001
From: Mirek Svoboda <mirek@grocerkey.com>
Date: Tue, 25 May 2021 08:04:58 +0200
Subject: [PATCH 2/2] Add VPC endpoint for Secrets Manager if authentication is
 required

---
 doc_source/services-msk-topic-add.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc_source/services-msk-topic-add.md b/doc_source/services-msk-topic-add.md
index 94d769a9..62f8eb85 100644
--- a/doc_source/services-msk-topic-add.md
+++ b/doc_source/services-msk-topic-add.md
@@ -12,7 +12,7 @@ This section describes how to add your Kafka cluster and topic as a function tri
 
 To get Apache Kafka records from Amazon MSK brokers, Lambda must have access to the Amazon Virtual Private Cloud \(Amazon VPC\) resources associated with your MSK cluster\. To meet Amazon VPC access requirements, we recommend:
 + Configuring one NAT gateway per public subnet\. For more information, see [Internet and service access for VPC\-connected functions](configuration-vpc.md#vpc-internet)\.
-+ Alternatively, instead of NAT gateway, deploy VPC Endpoints (PrivateLink) for Lambda and STS services.
++ Alternatively, instead of NAT gateway, deploy VPC Endpoints (PrivateLink) for Lambda and STS services\. If authentication is required, then deploy also VPC Endpoint for Secrets Manager\. 
 
 Your Amazon VPC security groups must be configured with the following rules \(at minimum\):
 + Inbound rules – Allow all traffic on all ports for the security group specified as your event source\.