How can I securely call a Python FastAPI deployed as a Lambda function, located inside a VPC, from an ECS frontend

First, invoking a Lambda function is always done using the public invoke API. Lambda has no way to limit the invocation from within a VPC only. When you attach a function to a VPC it only means that the network traffic originated by the Lambda function is sent inside the VPC.

Second, when you create a Lambda Function URL you actually create a public endpoint. This means that your ECS task will need to access the internet in order to invoke it (either by giving it internet access or by using a NAT gateway). You can protect the endpoint with IAM, so your task will need the appropriate IAM Role to invoke it.

Other options were mentioned above: Use the Lambda Invoke API directly from the ECS task (you will need a Lambda VPC endpoint to access that API), use a Private REST API Gateway to trigger the lambda (with the 30 second limit), or use an ALB as the front-end for the function.

Hi Lalit, One option is to invoke the lambda function using AWS SDK's from the Frontend ECS application.

You can try ECS exec for running commands: https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/

Function url expose a public endpoint, so http client is not an option.

You should either use SDK, if you just want to reuse the function url(more details for authentication here: https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html#:~:text=Function%20URLs%20are%20dual%20stack,must%20have%20lambda%3AInvokeFunctionUrl%20permissions.).

Alternatives are an internal ALB or private api gateway.