Categories
Cloud

AWS Lambda with VPC and internet access

Sometimes you need a Lambda Function to access both internet (RESTful apis, Dynamo, S3) and VPC resources (such as RDS). In this post you’ll learn how to allow it without compromising scalability.

By default, a lambda function has internet access and is able to reach API’s, DynamoDB and S3, but can’t talk to internal resources like RDS instances, because it is not bounded to a VPC (by default).

You can attach the lambda to a VPC, but then you’ll loose internet access and will no longer be able make HTTP requests or work with S3 and DynamoDB.

If you need both, then you’ll have to set up the VPC for internet access, which is a little messy. Read on, and I’ll walk you through.

Create a new VPC

I find it’s best to leave the default VPC alone, so you don’t take the risk of breaking something that’s already working in that VPC (in case you already have resources there), and also because you can use the default VPC as configuration reference in the future.

Use the wizard for creating the VPC.

Create the route tables

  • Name the first public-subnet (if it’s not already there);
  • Name the second private-lambda. AWS support recommends having a separate subnet just for the lambda, and this Route Table is going to be attached to it.

Create the subnets

By default, when you create a VPC, it will create a public subnet for you. If you used default values, its name should be Public subnet. Leave it at that.

Now you are going to create (several) private subnets, for high scalability.

You’ll link each of these private subnets to the VPC you just created. Now, supposing you left the VPC IP as 10.0.0.0/16, and that you run your resources in Virginia (us-east-1), here is a template for creating six private subnets, each in a different availability zone (for high availability):

  • private-lambda-us-east-1a, availability zone us-east-1a, IP block 10.0.16.0/24
  • private-lambda-us-east-1b, availability zone us-east-1b, IP block 10.0.32.0/24
  • private-lambda-us-east-1c, availability zone us-east-1c, IP block 10.0.48.0/24
  • private-lambda-us-east-1d, availability zone us-east-1d, IP block 10.0.64.0/24
  • private-lambda-us-east-1e, availability zone us-east-1e, IP block 10.0.80.0/24
  • private-lambda-us-east-1f, availability zone us-east-1f, IP block 10.0.92.0/24

But you can see the pattern: – There’s a 16 increment in the 3rd position of the IP block; – The names indicate the selected availability zone in your region.

Ensure Route Table vs Subnet associations

  • Go to the Route Tables panel;
  • Select the public-subnet table, review its associations and make sure to associate it to the Public Subnet;
  • Select the private-lambda table, review its associations and make sure It’s associated to all the private-lambda-* subnets you just created.

Create an Internet Gateway

Just create one and attach it to the VPC.

Configure the routes for the Public Subnet

In my case it came configured, but just make sure that the Route Table for your Public Subnet has an entry from 0.0.0.0/0 to your just-created Internet Gateway.

Create a NAT (network address translator)

Create a new NAT and select your Public Subnet. Allocate a new EIP.

Configure the routes for the Private Subnets

Ensure that the Route Table for your Private Subnets has an entry from 0.0.0.0/0 to your new NAT.

And with these steps, you should now have an Internet-enabled VPC.


Use Case: configuring a Lambda for internet and RDS access

  • Create a Security Group for the lambda
    • New up a SG and configure Outbound > All Trafic > to 0.0.0.0/0 and ::/0
  • Modify the Security Group of your RDS instance to allow
    • Inbound > All trafic > from the lambda SG
  • Configure the lambda
    • Create a new lambda or select an existing one;
    • Select your new VPC;
    • Select all your private subnets (private-lambda-*) for high availability;
    • Select your lambda Security Group.

And that’s it. You should now have a lambda function that can access both VPC and Internet resources 🙂

I devised this method from this page.

By Phillippe Santana

Passionate about writting code that people can understand, I'm a software developer, a project manager, an entrepreneur, and people/culture enthusiast. Find me on [Linkedin](https://www.linkedin.com/in/phillippesantana/) and on [Medium](https://medium.com/@phillippesantana).