- Newest
- Most votes
- Most comments
Using a Lambda function to connect to the internet (from within a VPC) without NAT Gateway or a NAT instance is not supported.
Note that you can choose not to associate the Lambda function with a VPC - it will have direct internet access then.
Is there some other reason for using the Lambda function in a VPC? One option I've seen other customers use is to decouple the Lambda functions - have one that accesses APIs/data on the internet; and another to access private resources.
Hi,
Maybe the Lambda URLs would be a good solution for your use case:
- see documentation https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html
- see announcement blog post https://aws.amazon.com/blogs/aws/announcing-aws-lambda-function-urls-built-in-https-endpoints-for-single-function-microservices/
This is only possible if you Lambda is called from the Internet to answer some requests and not if it needs to connect to other services on the Internet to get some data. I was unsure of what you mean by "am connecting to the internet using NAT"
Hope it helps!
Didier
Thanks for your help. As suggested by Brettski-AWS, I will make the changes.
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
Thank you for your response.
I will not associate Lambda function with a VPC
I couldn't identify any specific technical reasons for exclusively supporting NAT gateway or NAT instance without including an Internet Gateway. Is this intentional to prevent incoming access?
An internet gateway exists to provide your VPC with access to the "outside world" (the internet for all intents and purposes). It's designed for session that are initiated from outside the VPC to resources in the VPC (those with a public or Elastic IP); and also for those resources to initiate sessions from within the VPC to the rest of the world. A NAT Gateway is designed to do many:1 address translation - that is, allow many internal (to the VPC) resources to appear to come from a single IP address. And as you've mentioned, it is for session initiated from with the VPC; not the other way around. While you can have a private NAT Gateway (i.e. one without an internet gateway), the majority of use cases involve both together.
It turns out it is possible! By assigning an IP to the ENI created by Lambda, you can use an Internet Gateway instead of a NAT Gateway.
Be careful with that solution. EIPs or public IPs aren't assigned to Lambda ENIs automatically for a reason. The ENI may change at any time (for example, if there are no Lambda executions for a period of time). When the new ENI is created it won't have an Elastic/Public IP assigned.