Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Connection between Lambda and Cognito over the Internet

0

I have lambda and API gateway and Cognito setup where requests are sent to API gateway URL

https://<id>.execute-api<region>.amazonaws.com/dev/user

the API gateway forward the request to the specific lambda based on the resource , now in the index of my lambda function i set up a Connection with Cognito public endpoints which i believe that this connection is set up over the internet , now i deploy the lambda function in a subnet with NAT gateway attached as the lambda functions never get assigned public IP addresses and it get assigned only private IP address from the ENI created for it by the Lambda service.

1- Is it possible to replace NAT gateway with IGW for requests destined for 0.0.0.0/0 , as in the index function of my lambda function i establish a connection with Cognito public endpoints ?

2- Is there another solution which is more cost efficient than using NAT gateway , I have searched for VPC endpoints for Cognito but there is none.

Note

When sending requests to API gateway URL i.e. https://<id>.execute-api<region>.amazonaws.com/dev/user while the subnet where the lambda is deployed is attached an IGW for traffic destined for the internet , i get Timeout and when using NAT the request is successful.

Topics
ServerlessFront-End Web & MobileComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon VPCAmazon CognitoAWS Lambda
Language
English
asked a year ago221 views
2 Answers
1

When you deploy a Lambda function in a VPC, it only receives private IP addresses and cannot directly access the internet, even if the subnet has an Internet Gateway (IGW) attached. This is why you're experiencing timeouts when trying to use an IGW.

To answer your questions:

  1. No, you cannot replace the NAT Gateway with an IGW for Lambda functions in a VPC. Lambda functions in a VPC can only use private IP addresses and cannot be directly attached to an IGW, which requires public IP addresses. This is why your requests time out when using an IGW but succeed with a NAT Gateway.

  2. There are a few more cost-efficient alternatives to NAT Gateways:

  • IPv6 approach: If Cognito supports IPv6 (you'd need to check if it has AAAA DNS records), you could configure your VPC with dual-stack subnets and use an Egress-Only Internet Gateway (EIGW) instead of a NAT Gateway. This doesn't incur the fixed hourly costs or data processing fees of a NAT Gateway.

  • Interface VPC Endpoints (AWS PrivateLink): While there isn't a direct VPC endpoint for Cognito, you could restructure your application to handle Cognito interactions from components that aren't in the VPC.

  • Lambda router: You could have a Lambda function outside the VPC that handles Cognito interactions and communicates with your VPC-based Lambda functions.

The most common and straightforward solution is to use a NAT Gateway, but it does come with fixed hourly costs and data processing fees. If your traffic volume is low, the IPv6 approach with an Egress-Only Internet Gateway might be the most cost-effective alternative if Cognito supports IPv6.
Sources
Connecting Lambda inside a VPC to resources outside a VPC | AWS re:Post
NAT Gateway for outbound request | AWS re:Post

answered a year ago
AWS
EXPERT
reviewed 10 months ago
0
Accepted Answer

The IPv6 solution worked for me.

answered a year ago
AWS
SUPPORT ENGINEER
reviewed 10 months ago
AWS
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content