Restricting IPs for Lambda functions connected to VPCs
A customer has Lambda functions connected to a VPC, which has connectivity (either DirectConnect/VPN) back to his on-prem resources.
He is using the Lambda functions to make an API call back to his on-prem resources but has been advised by his Security Team that the allowlisting fw rules on the target side (on-prem) should not be too broad. As such, ideally he will want to allowlist just a single PRIVATE IP.
Typically, if the Lambda functions are connected to the private subnet in a VPC and make use of a NAT gateway to traverse the public internet, they can just allowlist the NAT gateway public IP.
However, in his case - since his API calls from Lambda will make use of DirectConnect/VPN back to his on-prem resources, what other advice can we provide him that will satisfy his Security Team?
AFAIK, since the ENIs associated with the Lambda functions in a VPC are not static and the Lambda functions can use any IP within the subnet range, do we have any other options apart from using the smallest /28 private subnet for his Lambda and allowlisting that range?
- Newest
- Most votes
- Most comments
You should have a small subnet and allowlist the range of that subnet. You will actually need at least two of those small subnets as we always recommend to attach the function to at least two AZs.
Relevant content
- asked 11 days ago
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
