Restricting IPs for Lambda functions connected to VPCs


A customer has Lambda functions connected to a VPC, which has connectivity (either DirectConnect/VPN) back to his on-prem resources.

He is using the Lambda functions to make an API call back to his on-prem resources but has been advised by his Security Team that the allowlisting fw rules on the target side (on-prem) should not be too broad. As such, ideally he will want to allowlist just a single PRIVATE IP.

Typically, if the Lambda functions are connected to the private subnet in a VPC and make use of a NAT gateway to traverse the public internet, they can just allowlist the NAT gateway public IP.

However, in his case - since his API calls from Lambda will make use of DirectConnect/VPN back to his on-prem resources, what other advice can we provide him that will satisfy his Security Team?

AFAIK, since the ENIs associated with the Lambda functions in a VPC are not static and the Lambda functions can use any IP within the subnet range, do we have any other options apart from using the smallest /28 private subnet for his Lambda and allowlisting that range?

asked 2 years ago57 views
1 Answer
Accepted Answer

You should have a small subnet and allowlist the range of that subnet. You will actually need at least two of those small subnets as we always recommend to attach the function to at least two AZs.

profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions