Hello,
I have a Lambda function which is exposed using a function URL That works great. I can access the https://long-id.lambda-url.eu-west-2.on.aws/
I wanted to use a custom domain for it and since Lambda does not natively support doing that, I used a CDN to proxy requests from my-domain.com to it. Again, so far, so good. Works great.
However this afternoon I noticed requests from certain CDN edge PoPs resulting in a 502. They would try and connect to the Lambda (using the function URL) but would timeout after, say, 10 seconds. That was confirmed by the CDN support guys. They logged in to one of their PoPs, in the UK, did their own curl request from that server to https://long-id.lambda-url.eu-west-2.on.aws/ ... and timed out after 10 seconds. They connected to another PoP, in France, did the same request to https://long-id.lambda-url.eu-west-2.on.aws/ ... and it worked perfectly.
The failed requests don't appear in the Lambda logs and the Lambda itself works fine when connected to directly. The Lambda is not in a VPC, there is no WAF, or security group, or any way to control access to it. It's a public function URL. So I have no way to approve an IP/range.
The question is why requests from certain IPs are timing out ...
Their theory is that some of their IPs (for example their PoP in the UK) are being blocked, by AWS. I wasn't sure since I would assume a blocked request would get back e.g a 403 immediately from AWS. But maybe not responding at all is part of its automated protection measures? Like if it thinks the IP is a bot and trying to be helpful it's just absorbing the request (thinking that's what I would want to happen). But it seems odd it would work fine for months (same request, from same IP) ... then randomly stop/block this afternoon only.
So ...
-
Is this a known issue with Lambda function URLs? Does AWS silently block/drop requests to public Lambda function URLs (maybe with some AI/WAF) trying to be helpful? The volume is tiny so it wouldn't trigger any DDoS-type triggers, but the requests are automated. So that seems possible and perhaps would not be revealed to end-users by just not responding at all.
-
Was there any network issue in eu-west-2 (UK) today, Monday 4th December, that could cause it? For example I noticed the first timeout at 2023-12-04 15:22:16. It seemed to start timing out around then. Requests prior to that were fine.
-
Can AWS itself allow-list IPs (in this case a CDN's PoPs) to call Lambda function URLs?
-
My other thought was using AWS's own CDN, Cloudfront, to provide the Lambda with a custom domain (so I can still use my-domain.com) ... as presumably AWS's own CDN PoPs would be always allowed by AWS Lambda's function URLs. But ... that adds to the cost. So (if it's not the issue) I'd prefer to avoid that.
Thanks!
AWS OFFICIALUpdated 3 years ago
