Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Accessing Lambda function through a Site-to-Site VPN tunnel by static IP

0

Hello AWS users and advocates!

Context:

  • I am using AWS Lambda + API Gateway for my web service, the Lambda is in a VPC
  • I am trying to integrate with a 3rd party that requires a secure host-to-host connection between services (VPN tunnel)
  • The 3rd party integration is built as a webhook; the 3rd party will notify my service when certain events happen on their end
  • The expectation from the 3rd party is that the webhook/service should be accessible via HTTP/S and available behind a single static IP address: For example, if the static IP inside the VPC is 10.0.10.1, port is 9999, and webhook path is /webhook, the 3rd party's service should be able to reach the webhook via http://10.0.10.1:9999/webhook once connected to the tunnel

What I've done so far:

  • Set up a Site-to-Site VPN connection between the Lambda's VPC and the 3rd party network (done)
  • Expose the Lambda function through private IP: This is the part I'm unsure about; I have tried to set up a VPC Endpoint for Lambda, but from what I've read elsewhere, this would not allow the Lambda function to be reached over HTTP

How can this be done?

Thanks

Themen
Vernetzung & Bereitstellung von InhaltenServerlosKalkulation
Tags
Amazon VPCAWS LambdaAWS Virtuelles Privates Netzwerk (VPN)
Sprache
English
AWS User
gefragt vor 7 Monaten459 Aufrufe
1 Antwort
0

You can't trigger a Lambda function directly from a network call - the event that triggers Lambda has to come from a separate service (mostly). The exception here is Lambda function URL but because they aren't available in a VPC we can discount it as a solution in this case.

What you can do though is create a private API using API Gateway which will be in your VPC and from there it can trigger the Lambda function.

profile pictureAWS
EXPERTE
Brettski-AWS
beantwortet vor 7 Monaten
  • AWS User
    vor 7 Monaten

    Thank you for the quick response; from the documentation linked, I can see that the private API will be accessible via DNS at "https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}" or "https://<vpce-id>.execute-api.<region>.vpce.amazonaws.com" depending on whether private DNS is enabled.

    Is there a way to then expose this API behind a static IP address, such as with an Elastic IP Address?

  • Brettski-AWS EXPERTE
    vor 7 Monaten

    There's probably a way to do that (using a public-facing NLB) - I haven't tested it but I wouldn't recommend it. In this case (using a Site-to-Site VPN) the traffic will all be private and the private API Gateway will have a static private IP address.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt