By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is the underlying reason for Lambda's ENI not acquiring a public IP in a public subnet

0

Hi!

When working with VPC resources with Lambda, the suggestion for keeping Internet access is to configure a NAT Gateway

If you continue to need access to resources on the internet, set up a NAT instance or Amazon NAT Gateway.

However, it seems possible to attach an EIP to the Elastic Network Interface that the Lambda service creates when configured to access a VPC.

I would have thought that this procedure would have been explicitly prevented. Still, it makes me think that what is the actual reason that the ENI that a Lambda creates, would not obey the "Auto-assign public IPv4 address" setting of the subnet that the ENI resides in. Does attaching an EIP to a Lambda-managed ENI somehow have less of a security risk than letting the ENI pick up a public IP based on the subnet's configuration?

I do acknowledge that the EIP solution is a bit kludgey (have to go look for the ENI after Lambda deployment etc.), but something like this being possible, just opens the can of questions more :)

Best Regards,

Kimmo

Topics
Networking & Content DeliveryServerlessComputeAWS Well-Architected Framework
Tags
Amazon VPCAWS LambdaNetworking & Content DeliverySecurity
Language
English
profile picture
Viesti
asked a year ago637 views
2 Answers
0

My guess is that the main premise of deploying Lambda in VPC is to access resources (EC2 and RDS) in the VPC.
Since public IP addresses are not needed for communication within the VPC, I suspect that Lambda ENIs are not automatically set to a public IP even if public IP auto-assignment for the subnet is enabled.

Also, the reason why you can set a public IP with Elastic IP for Lambda's ENI, there may be some VPCs in your environment that only have public subnets.
I believe the reason for this is that it is not possible to tie a NAT Gateway to a public subnet and set it as the default route.
So I thought it was more of a security issue or something that could be configured to suit the environment.

profile picture
EXPERT
Riku_Kobayashi
answered a year ago
  • Rodney Lester
    a year ago

    A "public subnet" is a subnet with a route to the internet via an internet gateway. To access from private IPs, you need a NAT.

0

Lambda functions are short lived tasks up to a max of 15 mins.

If every task that spun up which could be hundreds would very quickly consume a public ip which would diminish a pool very quickly.

Plus if you want lambda accessible from the internet you would place behind something like an api gateway.

If lambda had a public IP, by the time it had come up and is accessible on the internet via a DNS name, there would be no chance for something on the internet to actually connect to it especially if each task started it’s IP address would be different.

I see no reason why a lambda function would ever need a public IP and so it’s designed in this way.

Internet access if needed can be achieved via a nat gateway

profile picture
EXPERT
Gary Mclean
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content