How can I securely call a Python FastAPI deployed as a Lambda function, located inside a VPC, from an ECS frontend

0

How can I securely call a Python FastAPI deployed as a Lambda function, located inside a VPC, from an ECS frontend app also within the same VPC? Additionally, I want to use the function URL instead of an API Gateway to avoid the 30-second timeout limitation for specific endpoints. What steps do I need to follow to achieve this setup while maintaining the Lambda function's private accessibility within the VPC?

4 Antworten
1

First, invoking a Lambda function is always done using the public invoke API. Lambda has no way to limit the invocation from within a VPC only. When you attach a function to a VPC it only means that the network traffic originated by the Lambda function is sent inside the VPC.

Second, when you create a Lambda Function URL you actually create a public endpoint. This means that your ECS task will need to access the internet in order to invoke it (either by giving it internet access or by using a NAT gateway). You can protect the endpoint with IAM, so your task will need the appropriate IAM Role to invoke it.

Other options were mentioned above: Use the Lambda Invoke API directly from the ECS task (you will need a Lambda VPC endpoint to access that API), use a Private REST API Gateway to trigger the lambda (with the 30 second limit), or use an ALB as the front-end for the function.

profile pictureAWS
EXPERTE
Uri
beantwortet vor 10 Monaten
profile picture
EXPERTE
überprüft vor 2 Monaten
0

Hi Lalit, One option is to invoke the lambda function using AWS SDK's from the Frontend ECS application.

AWS
beantwortet vor 10 Monaten
0
profile picture
beantwortet vor 10 Monaten
0

Function url expose a public endpoint, so http client is not an option.

You should either use SDK, if you just want to reuse the function url(more details for authentication here: https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html#:~:text=Function%20URLs%20are%20dual%20stack,must%20have%20lambda%3AInvokeFunctionUrl%20permissions.).

Alternatives are an internal ALB or private api gateway.

profile picture
EXPERTE
beantwortet vor 10 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen