AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

dynamodb streams across accounts (and region at times) using lambda

0

A customer is using dynamoDB streams to pass events to a Kafka topic. They would like to use lambda to poll the stream, but the consumer (kafka cluster self managed in Kubernetis) is in a different account. I see that the lambda that reads from DDB needs to be in the DDB account.

As a workaround customer is considering this- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.KCLAdapter.html (deployed in the Kafka account in the kubernetis cluster) but would prefer have a serverless solution instead.

I found this- https://aws.amazon.com/premiumsupport/knowledge-center/lambda-cross-account-kinesis-stream/

Will this mean the traffic goes through public internet (not desired) Is there a work around using VPC peering / VPC sharing / Private link

Note - The Kafka cluster can be in the same region, but sometime is in a different region so solution should support both.

주제
서버리스컴퓨팅데이터베이스분석사물 인터넷(IoT)
태그
AWS Lambda아마존 DynamoDB아마존 Kinesis
언어
English
AWS
AWS-User-8292465
질문됨 4년 전1790회 조회
1개 답변
0
수락된 답변

I don't think that this is the right approach. The blogs you mention talk about triggering a Lambda function in one account from Kinesis/DDB streams in a different account.

I think that in your case the best would be to have a Lambda function in the first account (DDB) which is triggered from the stream. Let this function run in a VPC in the first account. Peer that VPC to the VPC that is hosting Kafka in the second account. The Lambda function should be able to talk via the peered connection and ingest records into Kafka.

If the two accounts are in the same Organization maybe by using VPC sharing there is no need to do VPC peering. I did not test it so I am not sure it works as Lambda can run in VPCs in the same account. Not sure how Shared VPC are treated.

Just to answer the question about having two lambdas, Lambda function runs by default in an AWS managed VPC. If that Lambda tries to invoke another Lambda, i think it will remain in the same VPC. The second Lambda will be running in the seconds account's VPC, so there will be no internet traffic as far as I can tell.

profile pictureAWS
전문가
Uri
답변함 4년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠