By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using Lambda Interface Endpoint

0

If I were to have a VPC with 2 private subnets where my web servers are hosted, and I want to invoke a lambda function, using a lambda interface endpoint, where should the lambda function itself be created at? I have a security group that allows inbound traffic from private web servers, and should this security group be attached to the endpoint or the lambda itself? (as in is the connection to the private subnets under the function VPC section is required or not)

I had tried attaching the SG to both endpoints and also the function (that is I connected the function to the private subnets in order to attach the SG), but the web servers still gave me 504 gateway time-out, with no logs of the function being run, so I assumed it is the lambda. I also do not see a route created from the endpoints in the private subnets, so I created them manually, not knowing if that matters or not (I removed it after realizing it is supposed to not have a route.). I tested the application hosted on a public subnet, and it should work just fine. There is also no log of invocation of the lambda when it should have, which I assume caused the timeout.

any help on this will be appreciated. :)) Im a beginner to AWS btw

Topics
ServerlessComputeNetworking & Content Delivery
Tags
AWS LambdaNetworking & Content DeliverySecurity Group
Language
English
rePost-User-6009864
asked a year ago1492 views
3 Answers
1

How are you invoking the Lambda function from your web server? VPC endpoints are for accessing a service over a private connection from your VPC. For AWS services like Lambda, that means its for accessing the service API. If you're calling your function directly via a Lambda API call then that can use the VPC endpoint but if you're using an HTTPS (not API REST) endpoint like a Function URL for example it can't.

Calling the function directly via the Lambda API over a VPC Endpoint would work fine whether it's a VPC function or not. The function's Security Group has no impact on this whatsoever - its ingress rules aren't used because a function doesn't actually listen on any port, it gets invoked by the Lambda service with event data passed to it.

Regarding security groups on VPC endpoints, see https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html which says "The security group for the interface endpoint must allow communication between the endpoint network interface and the resources in your VPC that must communicate with the service. By default, the interface endpoint uses the default security group for the VPC. Alternatively, you can create a security group to control the traffic to the endpoint network interfaces from the resources in the VPC. To ensure that tools such as the AWS CLI can make requests over HTTPS from resources in the VPC to the AWS service, the security group must allow inbound HTTPS traffic."

EXPERT
skinsman
answered a year ago
  • rePost-User-6009864
    a year ago

    The function basically gets the bucketName input and specific object from it and create a zip version of it then upload back to the bucket. I had tested the function using the same server deployed in public subnets, which works perfectly fine.

  • rePost-User-6009864
    a year ago

    I would assume that it is not using HTTPS as this is the codes runner in the server to invoke the func: payload = "{"bucketName":"".BUCKET_NAME."","fileName":"".$file_name.""}"; $lambda_invoke_result = $lambda->invoke(array( // FunctionName is required 'FunctionName' => LAMBDA_FUNC_NAME, 'InvocationType' => 'RequestResponse', 'LogType' => 'Tail', 'Payload' => $payload ));

    so I just need to set up; lambda interface endpoint to the private subnets where the web servers are running in, with traffic inbound from those private servers only right? I

  • skinsman EXPERT
    a year ago

    It looks like you're on the right track. That function invocation should be able to use the Lambda VPC Interface Endpoint. It just needs to be in the same region as your web servers and in the same VPC (or in another VPC with network connectivity and its Private Hosted Zone associated with the web servers' VPC). The SG for the endpoint needs to allow HTTPS inbound from your web servers, though leaving it fully open temporarily until you get things working isn't a bad idea.

0

Hi,

If you create the lambda in the same VPC than the workloads, then you do not need the interface endpoints.

If lambda is created in another VPC, the VPCs should be paired via VPC peering or transit gateway and a VPC interface endpoint to be used.

If lambda is not in any customer defined VPC, then you still nee sn interface endpoint.

Hope it helps ;)

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
0

Hi,

I am not sure what is the use case w.r.to lambda in your app. But here are the options ,

a. Invoke Lambda functions from EC2 instances

For this scenario, you would need to do the following,

  1. Assuming EC2 instances already has instance profile created, now create an IAM policy (inline/customer managed) to invoke Lambda functions
  2. Add the IAM policy as mentioned in this link - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.IAM.LambdaCreatePolicy.html

b. Invoke ec2 hosted apps from Lambda

  1. Create security group for lambda
  2. Add the ec2 cidr or security group id and appropriate port to access the app from Lambda as outbound rule. Lambda outbound SG rule - app Protocol, app port, ec2 sg id or cidr block, description
  3. Add the lambda security group id to the ec2 instances security group to allow traffic from Lambda as inbound rule Ec2 inbound SG rule - app Protocol, app port, lambda sg id, description

Note:

  1. Lambda can be configured with or without VPC.
  2. In case of lambda without VPC config, ec2 endpoints are required to contact app hosted in ec2 instances (within private subnets)
  3. In case of lambda with VPC config, endpoints are not needed. However, lambda should be configured with IAM execution role as per steps mentioned here under section 'Create Execution Role for Lambda' - https://repost.aws/knowledge-center/lambda-dedicated-vpc
Manoj Kumar S
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content