EFS requires Lambda to run in a VPC. VPC Lambda can't reach AWS services (DynamoDB, SQS, Bedrock, S3) over the public internet — it needs either a NAT Gateway ($32/mo minimum, kills "zero cost at rest") or VPC endpoints.
- **Gateway endpoints** (free): DynamoDB, S3 — route traffic through the VPC route table
-
- **Interface endpoints** (~$7/mo each per AZ): SQS, Bedrock, Secrets Manager — ENI-based, billed hourly + per-GB
+
- **Interface endpoints** (~$7/mo each per AZ): Secrets Manager — ENI-based, billed hourly + per-GB. SQS and Bedrock endpoints are no longer needed (semantic search uses DynamoDB Streams + local MiniLM embeddings; see [[Design/Async_Embedding_Pipeline]])
- Minimize AZs in dev (1 AZ = 1× endpoint cost); prod needs 2 AZs for availability
This is a Phase 0 infrastructure requirement — without endpoints, Lambda can mount EFS but can't reach DynamoDB for ACL checks.