WavebreakmediaMicro - Fotolia
How do I configure AWS Lambda functions in a VPC?
Lambda and VPCs are essential to many AWS architectures, but they don't come together as intuitively as you might think. Learn how to configure Lambda functions within a VPC.
Enterprises are increasingly using AWS Lambda in a broader set of scenarios. As a result, there's added focus on making sure Lambda functions are configured to securely interact with other AWS resources.
You might think the best way to do this is through an Amazon VPC, which is an essential element in any secure AWS architecture. Developers and administrators use VPCs to launch resources within a dedicated, private network that tightly controls access.
But there's a hitch when using Lambda. By default, Lambda functions are not launched within a virtual private cloud (VPC), so they can only connect to public resources accessible through the internet.
This is not how most Amazon cloud services operate. For example, EC2 instances can only be accessed within a VPC -- same goes for internal application load balancers. When launching a database with Amazon Relational Database Service (RDS), it's considered a best practice to only allow authorized components within a VPC to connect to a specific database instance.
In addition, services such as ElastiCache, Elastic File System and DynamoDB Accelerator only allow access within a VPC. There are a number of services that support public access, but AWS has introduced the ability to allow VPC-only access using private endpoints. Some examples include S3, DynamoDB, API Gateway, Elastic MapReduce, Athena, CodeBuild and CodePipeline, among others.
How to use AWS Lambda in a VPC
If a Lambda function is required to operate within a VPC -- an increasingly common scenario -- then it needs to be configured in a particular way. To do this, you need to assign a VPC to the Lambda function, then assign one or more subnets, as well as the accompanying VPC security groups.
A common mistake when configuring Lambda in a VPC is related to Network Address Translation (NAT) gateways. If the Lambda function is intended to interact with public resources and VPC resources, it needs a way to access the internet. In this case, the assigned subnets must be private and connect through the internet using a NAT Gateway.
A NAT gateway can be configured using a dedicated EC2 instance or using the VPC NAT gateway feature. For example, if the function needs to call third-party or AWS APIs for services that don't support the VPC endpoint feature, the function must have access to the internet. The Lambda execution Identity and Access Management role must also have CreateNetworkInterface, DescribeNetworkInterfaces and DeleteNetworkInterface EC2 permissions.
It is also important to ensure that security groups assigned to target resources within the VPC -- i.e., load balancers, RDS instances, etc. -- are configured to allow access to the security groups of the Lambda function. Even though this is an essential requirement in any VPC configuration, it's often overlooked when configuring Lambda in a VPC.
Configuring as many AWS resources as possible within a VPC should be considered a best practice. Lambda support for VPC integration makes it simpler to build serverless applications that follow this increasingly common cloud architecture pattern.