Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Connecting Lambda inside a VPC to resources outside a VPC

0

I have a Lambda which connects to a ElastiCache Serveless. They are both in the same VPC as I believe this is necessary for them to connect. The lambda also needs to access other resources outside of the VPC like API Gateway, Cognito, Parameter Store, and CloudFront. I don't want to use a NAT gateway. I know I can use VPC endpoints but I understand this isnt possible for CloudFront. Is there something else I can use that isn't a NAT gateway?

Topics
ServerlessManagement & GovernanceComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Parameter StoreAmazon VPCAmazon CloudFrontAmazon CognitoAWS Lambda
Language
English
asked 8 months ago322 views
3 Answers
0

Another option that might work (I haven't tried it myself) if the other suggestions aren't possible for some reason is to put the Lambda in a public subnet and attach an Elastic IP to its ENI. Since the VPC Lambda networking improvements of 2019/20 the ENIs are long-lived but still AWS do not recommend doing this because the ENI could be deleted if unused for weeks, and could be supplemented by additional ENIs if there's high concurrency. This approach maybe could work if set up carefully.

EXPERT
answered 8 months ago
  • Gary Mclean EXPERT
    8 months ago

    Good idea Steve, afraid this is not supported. Lambda will not obtain a public IP in a public subnet. It has to reside in a Private subnet with either Endpoints and or NAT Gateways

  • Steve Kinsman EXPERT
    8 months ago

    @Gary Mclean this does work, I tried it just now. You're correct that Lambda will not by default obtain a public IP in a public subnet, but as I said you have to attach an Elastic IP to its ENI yourself. Once you do this, you now have internet access for the lifetime of the ENI which is largely out of your control but can be influenced by periodically triggering the function. As above "This approach maybe could work if set up carefully" - no guarantees! :)

0

When you place a Lambda function in a VPC to access resources like ElastiCache Serverless, you're correct that the function loses direct internet access and can't reach AWS services outside the VPC by default.

For accessing AWS services without using a NAT Gateway, AWS PrivateLink with interface VPC endpoints is the recommended approach. This allows your Lambda function to privately access AWS services without traversing the public internet.

You can create interface VPC endpoints for most of the services you mentioned:

  • API Gateway
  • Cognito
  • Parameter Store (Systems Manager)

However, you're correct that CloudFront doesn't currently support VPC endpoints. For this specific service, you have limited options:

  1. Use a NAT Gateway (which you want to avoid)
  2. Consider an IPv6 approach - Lambda functions can make IPv6 outbound connections, and you could use an Egress-only Internet Gateway instead of a NAT Gateway
  3. Restructure your application to handle CloudFront interactions from components that aren't in the VPC

Using VPC endpoints for the supported services will help minimize your dependency on internet access. Interface endpoints are powered by AWS PrivateLink and are generally more cost-effective than NAT Gateways while providing secure private connectivity between your VPC and AWS services.

For your specific architecture, you could implement VPC endpoints for API Gateway, Cognito, and Parameter Store, then evaluate whether you can restructure the CloudFront interactions or if you'll need to use one of the alternative approaches for that specific service.
Sources
Leverage VPC endpoints - Serverless Applications Lens
Lambda in RDS VPC needs bi-directional inet access | AWS re:Post
Configure Lambda without NAT for trigger API Gateway and use DocumentDB | AWS re:Post
Connect your VPC to services using AWS PrivateLink - Amazon Virtual Private Cloud

answered 8 months ago
EXPERT
reviewed 8 months ago
EXPERT
reviewed 8 months ago
0

Yes, you can create Interface VPC Endpoints (AWS PrivateLink) for most of the services you mentioned, including:

Amazon API Gateway (for private APIs)

AWS Cognito

AWS Systems Manager Parameter Store

These services support interface endpoints, allowing secure, private connectivity over the AWS network without using the public internet.

Regarding CloudFront: CloudFront does not support VPC endpoints directly because it's a global edge service that acts as a content delivery layer in front of your origin (e.g., ALB or S3).

However, if your CloudFront origin is:

An Application Load Balancer (ALB) within a VPC

Or an S3 bucket (with static website hosting disabled)

You can:

Expose the origin using an Interface VPC Endpoint (PrivateLink)

Set up a private DNS name using Route 53 that resolves to the VPC endpoint

Configure CloudFront with a custom origin domain name that routes through the PrivateLink

This ensures that CloudFront communicates privately with your internal origin resources without traversing the internet.

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content