- Newest
- Most votes
- Most comments
If you don't use any authn/authz, going with Lambda fURLs can be a good idea. You will need to use CloudFront in front if it if you want to expose the a custom domain name for your function. If the responses from your function can be cached, adding a CloudFront distribution can reduce the cost as you may have fewer invocation.
You're on the right track with your thinking, and there are indeed some advantages to using Lambda Function URLs with CloudFront over using an Application Load Balancer (ALB). However, there are also some considerations to keep in mind.
Using CloudFront with Lambda Function URLs can offer several benefits:
-
Cost reduction: As you mentioned, Lambda Function URLs are free, which could lead to cost savings compared to using an ALB.
-
Improved latency: CloudFront's global content distribution network can help reduce latency for users around the world, potentially improving your application's performance.
-
Enhanced security: CloudFront with Origin Access Control (OAC) can provide an additional layer of security by restricting direct access to your Lambda function URL.
-
DDoS protection: You'll receive AWS Shield Standard protection at no additional charge when using CloudFront.
-
Simplified architecture: Removing the ALB can simplify your infrastructure.
However, there are some potential downsides or limitations to consider:
-
Limited advanced features: ALB offers some features that Function URLs don't, such as advanced routing, content-based routing, and integration with AWS WAF.
-
Authentication limitations: While Function URLs support AWS IAM authentication, ALB offers more authentication options, including integration with Amazon Cognito.
-
HTTP method restrictions: When using CloudFront with Function URLs, there are currently limitations with non-GET HTTP methods (like POST, PATCH, PUT) if you want to keep the function URL protected. This is because these methods require signed requests, which external users typically can't provide.
-
Monitoring and metrics: ALB provides more detailed metrics and logging options compared to Function URLs.
-
Multi-function routing: If your application requires routing to multiple Lambda functions based on path or other criteria, an ALB might be more suitable.
Given your current setup handling a billion requests per month, it's crucial to carefully evaluate these trade-offs. If your application primarily uses GET requests and doesn't require advanced routing or authentication features, the CloudFront + Function URL approach could be beneficial. However, if you rely on features provided by ALB or need more flexibility with HTTP methods, you might want to stick with your current setup.
Remember to thoroughly test any changes to your architecture, especially considering your high traffic volume. You may also want to consider a gradual migration to assess the impact on your application's performance and cost.
Sources
Select a method to invoke your Lambda function using an HTTP request - AWS Lambda
Secure your Lambda function URLs using Amazon CloudFront origin access control | Networking & Content Delivery
Community | Enhancing security for Lambda function URLs
Relevant content
- asked 7 months ago
- asked 3 years ago
- asked 9 months ago
- asked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thanks Uri. I just realized that while function-urls are free, cloudfront still charges a per-request cost ($1/million requests).
A billion requests on current ALB setup is around $350. Cloudfront will cost $1000 for a billion requests (ignoring data transfer cost). So this won't actually save money.
Also, if your requests include POSTs or PUTs that send data to the Lambda function, the inbound traffic directly from users to an ALB is free. With CloudFront, data transfer from a user to a CloudFront edge node is also free, but the outbound traffic needed from the CloudFront edge node towards the target resource, such as a Lambda execution URL or an ALB, is charged as outbound traffic towards that region. That would likely make the CloudFront alternative even more expensive in your use case.