Lambda (private subnet) <- ingress request< - gateway

0

Hi,

I am baffled by a use case that I am not able to make sense of. Will appreciate some guidance. Here is the scenario.

VPC: Created through Control Tower - Landing zone - Account creation. VPC has 1 public subnet and 3 private subnets.

Public Subnet: I have Public Subnet accessible from IG per the route table configurations. Resources in a public subnet are mapped with SecurityGroups which allow internet access.

Private Subnet: Each private subnet is mapped in a different route table which does not have a mapping to IG. There is no NAT Gateway in this scenario.
Therefore, no ingress or egress requests outside of VPC. I do have VPC Endpoints for S3, Dynamodb, and KMS.

NACL: Allows all inbound and outbound traffic from all sources. Just to keep this simple.

Lambda: Lambda is created using advanced configuration and is configured to run in a private subnet inside the VPC. Lambda has a simple job of accessing KMS endpoint and listing all KMS-CMKS(s).

Gateway: Created a public API with /GET Resource mapped to lambda. Straight forward stuff.

Per my understanding, VPC only has one ingress point IG, not bringing peering or transit gateway or private links into the mix. Based on the above subnet design and routes, resources in the private subnet should not be accessible to requests coming from outside of VPC. Right?

However, when I issue the GET request to the API, API Gateway is able to invoke the lambda and able to get the results.

I am really confused. Any help will be appreciated.

Meanwhile, I will dig through the documentation.

Regards, Sandeep

1回答
0
承認された回答

API Gateway doesn't invoke the Lambda function using "the network" as you have defined it (VPC in this case).

When you create an integration between API Gateway and a Lambda function you authorise API Gateway to invoke the function; and you provide permissions in Lambda for API Gateway to invoke it (it's a two-way operation).

"Traffic" (in this case, the request from APi Gateway to Lambda and the response from Lambda to API Gateway) is carried across the AWS services control plane so you don't need to provide a network path for that to happen.

Any network traffic generated by the Lambda function (for example, accessing a database or calling another AWS service) will (in your case) will originate from the network interface Lambda has on your private subnet.

profile pictureAWS
エキスパート
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ