Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

lambda streaming with regional custom domains

0

I have a multi region API using API Gateway/Lambda, and Route 53 for the regional routing. The architecture is similar to this example https://aws.amazon.com/blogs/networking-and-content-delivery/latency-based-routing-leveraging-amazon-cloudfront-for-a-multi-region-active-active-architecture/

In order to avoid the 6mb size limit of Lambda i am trying to change this API be served from a Lambda Function URL with streaming enabled. The problem I am having is that the TLS Certificate of the Lambda Function URL does not match the Route53 Alias that I am using to do the regional routing, and so the Cloudfront Distribution fails with a Bad Gateway response.

One possible solution would be if the function URL was HTTP and did not use TLS, there would not be an issue. The documentation for Lambda Function URLs states "A function URL is a dedicated HTTP(S) endpoint for your Lambda function. ". However when I try to invoke my Function URL with http://.... the response hangs.

Do Function URLS support non-TLS endpoints? Is there another way to solve this issue? I have read I may be able to solve the issue with the Application Load Balancer, but would prefer to avoid the added cost for this work-around.

Topics
ServerlessComputeNetworking & Content Delivery
Tags
Amazon Route 53Amazon CloudFrontAWS Lambda
Language
English
asked a year ago406 views
2 Answers
1

Lambda Function URLs do not support non-TLS endpoints. They are designed to be secure by default and only support HTTPS connections. The "HTTP(S)" notation in the documentation refers to the protocol used, but in practice, all Function URLs use HTTPS.

To solve your issue with regional custom domains and Lambda Function URLs, you have a few options:

  1. Use API Gateway with Lambda integration: This would allow you to use custom domain names and TLS certificates, but you'd lose the streaming capability and be subject to the 6MB size limit.

  2. Use Application Load Balancer (ALB): As you mentioned, this could solve the issue by allowing you to use custom domain names and certificates, but it would incur additional costs.

  3. Use Amazon CloudFront with Lambda Function URLs: You can set up a CloudFront distribution with your Lambda Function URL as the origin. Then, configure a custom domain name for the CloudFront distribution and use your own SSL/TLS certificate. This approach allows you to keep the streaming capability of Lambda Function URLs while using your custom domain.

  4. Implement a reverse proxy: You could set up a lightweight reverse proxy (e.g., using AWS Fargate or EC2) that forwards requests to your Lambda Function URL. This proxy can use your custom domain and certificate.

Given your requirements and desire to avoid additional costs, the CloudFront approach (option 3) might be the most suitable solution. It allows you to use custom domains, manage certificates, and maintain the streaming capability of Lambda Function URLs without significant additional costs.
Sources
Can a Lambda Function URL with IAM auth type be invoked with authorization query parameters? | AWS re:Post
AWS Lambda controls - AWS Control Tower
A Lambda function that invoke another lambda function failed on cloud but working locally with sam invoke | AWS re:Post

answered a year ago
0
Accepted Answer

I ended up solving this with Lambda @ Edge https://aws.amazon.com/blogs/networking-and-content-delivery/dynamically-route-viewer-requests-to-any-origin-using-lambdaedge/

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content