1 Answer
- Newest
- Most votes
- Most comments
0
Hi,
I would suggest to have Lambdas outside your VPC and have those Lambdas do the repository accesses over the Internet based on their default configuration:
see https://docs.aws.amazon.com/lambda/latest/operatorguide/networking-vpc.html
**By default, Lambda functions have access to the public internet. **
This is not the case after they have been configured with access to one of your VPCs. If you continue to need access to resources on the internet, set up a NAT instance or Amazon NAT Gateway. Alternatively, you can also use VPC endpoints to enable private communications between your VPC and supported AWS services.
They will act as a proxy to your ECS containers: those containers will use the Lambda invoke() API to request access to a given repo. The Lambda will store the content of the repo in a S3 bucket that your ECS instances can access securely via an additional service endpoint.
If this is your only use of NAT, you can then suppress use of NAT and Internet Gateway to reduce your costs as expected.
Additional benefit: better security posture since your VPC is now fully closed.
Best,
Didier
Relevant content
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 days ago
Hi, Thank you for sharing the approach, but it will add complexity in my arch.