AWS — Configure a lambda function inside a VPC with internet access
AWS has been used by more and more industries due to the stable cloud service with guaranteed high availability. Among all the services that AWS provided, the lambda function is an extremely important piece to automate the business logic.
What is a lambda function
Lambda function is a serverless, event driven compute service that you can deploy in your AWS account. The serverless means that neither you care about the backend machine, nor you need to configure the infrastructure. The only thing you need to do is to write the application code to run when it’s triggered.
Event driven means that a lambda function is triggered by a event that is predefined by AWS. There are many kind of events that can trigger lambdas, including s3, SNS, SQS, another lambda, …. When you deploy a lambda function, you must specify the trigger so it can be run.
Serveless
Sounds convenient, right? You can write a lambda to be triggered by s3:ObjectCreated, and send out the email to the related parties. It’s all automated. However, when we take a deeper look how a lambda function is executed, we will find that the lambda function cannot sit inside our VPC! That is because we don’t even need to configure the resource that the lambda will be running on. So Where exactly is the lambda function? And how can we control our lambda function with proper access/permission?
Where is the lambda function
A lambda function is running on a AWS EC2 instance, which is created by someone else and is currently idle and allow you to use. Each lambda function can only live 15 minutes and after that you have to return that machine to the original owner and you no longer have the access. And as you can guess, for each time you run the same lambda function, you are running it on top of different machines. It all depends on which mahcine is available.
Lambda permission
This is actually a big issue as for most of the companies, the service is sitting inside a private subnet inside the private VPC. With a lambda function that doesn’t even have a static IP address, how could we add the lambda function to the security groups to allow it to access some of the private resource?
AWS ENI
Fortunately, there is a magic called AWS elastic network interface (ENI), it creates an endpoint for this lambda function and assign this lambda function with a static IP address. The way we configure is also easy. In the AWS web console we can go directly to the configuration/vpc section and select which VPC/subnets/security group that you want this lambda to attach to. With latest AWS feature, it will create a hyperplane elastic network interface (hyperplane ENI) per (subnets, security group), so even if you create 10 lambda function will the same VPC setting, there will be only one general ENI created to serve the connection.
What do you get after setting up ENI? Basically you can treat the lambda function to be sitting inside your private VPC now, and it can access your private resources, based on your iam/resource permission policy.
Internet access
You may find that, after connect your lambda function to the private VPC, you lost the internet connection. This may confuse some of the user where let’s say a lambda is configured to be triggered by the s3 object creation, but after the lambda is triggered, you can no longer get that new file in the s3. This is because the lambda will use a puclic https link to access the s3 file. If the internet connection is blocked by your private VPC, you won’t be able to hit the public endpoint.
Thus you need to configure a public subnet in the same VPC that your service resides in, connect the private subnet to the public subnet through a NAT gateway, and configure a internet gateway to connect your public subnet to the internet. This way, your https call will be routed to the public subnet, and in the public subnet you can access the outside world.
Now you get the lambda function to access both your private resource, and the public internet. Cheers!
