AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Accessing Lambda function through a Site-to-Site VPN tunnel by static IP

0

Hello AWS users and advocates!

Context:

  • I am using AWS Lambda + API Gateway for my web service, the Lambda is in a VPC
  • I am trying to integrate with a 3rd party that requires a secure host-to-host connection between services (VPN tunnel)
  • The 3rd party integration is built as a webhook; the 3rd party will notify my service when certain events happen on their end
  • The expectation from the 3rd party is that the webhook/service should be accessible via HTTP/S and available behind a single static IP address: For example, if the static IP inside the VPC is 10.0.10.1, port is 9999, and webhook path is /webhook, the 3rd party's service should be able to reach the webhook via http://10.0.10.1:9999/webhook once connected to the tunnel

What I've done so far:

  • Set up a Site-to-Site VPN connection between the Lambda's VPC and the 3rd party network (done)
  • Expose the Lambda function through private IP: This is the part I'm unsure about; I have tried to set up a VPC Endpoint for Lambda, but from what I've read elsewhere, this would not allow the Lambda function to be reached over HTTP

How can this be done?

Thanks

주제
네트워킹 및 콘텐츠 전송서버리스컴퓨팅
태그
아마존 VPCAWS LambdaAWS 가상 비공개 네트워크(VPN)
언어
English
AWS User
질문됨 7달 전459회 조회
1개 답변
0

You can't trigger a Lambda function directly from a network call - the event that triggers Lambda has to come from a separate service (mostly). The exception here is Lambda function URL but because they aren't available in a VPC we can discount it as a solution in this case.

What you can do though is create a private API using API Gateway which will be in your VPC and from there it can trigger the Lambda function.

profile pictureAWS
전문가
Brettski-AWS
답변함 7달 전
  • AWS User
    7달 전

    Thank you for the quick response; from the documentation linked, I can see that the private API will be accessible via DNS at "https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}" or "https://<vpce-id>.execute-api.<region>.vpce.amazonaws.com" depending on whether private DNS is enabled.

    Is there a way to then expose this API behind a static IP address, such as with an Elastic IP Address?

  • Brettski-AWS 전문가
    7달 전

    There's probably a way to do that (using a public-facing NLB) - I haven't tested it but I wouldn't recommend it. In this case (using a Site-to-Site VPN) the traffic will all be private and the private API Gateway will have a static private IP address.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠