By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Accessing Lambda function through a Site-to-Site VPN tunnel by static IP

0

Hello AWS users and advocates!

Context:

  • I am using AWS Lambda + API Gateway for my web service, the Lambda is in a VPC
  • I am trying to integrate with a 3rd party that requires a secure host-to-host connection between services (VPN tunnel)
  • The 3rd party integration is built as a webhook; the 3rd party will notify my service when certain events happen on their end
  • The expectation from the 3rd party is that the webhook/service should be accessible via HTTP/S and available behind a single static IP address: For example, if the static IP inside the VPC is 10.0.10.1, port is 9999, and webhook path is /webhook, the 3rd party's service should be able to reach the webhook via http://10.0.10.1:9999/webhook once connected to the tunnel

What I've done so far:

  • Set up a Site-to-Site VPN connection between the Lambda's VPC and the 3rd party network (done)
  • Expose the Lambda function through private IP: This is the part I'm unsure about; I have tried to set up a VPC Endpoint for Lambda, but from what I've read elsewhere, this would not allow the Lambda function to be reached over HTTP

How can this be done?

Thanks

Topics
Networking & Content DeliveryServerlessCompute
Tags
Amazon VPCAWS LambdaAWS Virtual Private Network (VPN)
Language
English
AWS User
asked 6 months ago440 views
1 Answer
0

You can't trigger a Lambda function directly from a network call - the event that triggers Lambda has to come from a separate service (mostly). The exception here is Lambda function URL but because they aren't available in a VPC we can discount it as a solution in this case.

What you can do though is create a private API using API Gateway which will be in your VPC and from there it can trigger the Lambda function.

profile pictureAWS
EXPERT
Brettski-AWS
answered 6 months ago
  • AWS User
    6 months ago

    Thank you for the quick response; from the documentation linked, I can see that the private API will be accessible via DNS at "https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}" or "https://<vpce-id>.execute-api.<region>.vpce.amazonaws.com" depending on whether private DNS is enabled.

    Is there a way to then expose this API behind a static IP address, such as with an Elastic IP Address?

  • Brettski-AWS EXPERT
    6 months ago

    There's probably a way to do that (using a public-facing NLB) - I haven't tested it but I wouldn't recommend it. In this case (using a Site-to-Site VPN) the traffic will all be private and the private API Gateway will have a static private IP address.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content