Lambda (private subnet) <- ingress request< - gateway



I am baffled by a use case that I am not able to make sense of. Will appreciate some guidance. Here is the scenario.

VPC: Created through Control Tower - Landing zone - Account creation. VPC has 1 public subnet and 3 private subnets.

Public Subnet: I have Public Subnet accessible from IG per the route table configurations. Resources in a public subnet are mapped with SecurityGroups which allow internet access.

Private Subnet: Each private subnet is mapped in a different route table which does not have a mapping to IG. There is no NAT Gateway in this scenario.
Therefore, no ingress or egress requests outside of VPC. I do have VPC Endpoints for S3, Dynamodb, and KMS.

NACL: Allows all inbound and outbound traffic from all sources. Just to keep this simple.

Lambda: Lambda is created using advanced configuration and is configured to run in a private subnet inside the VPC. Lambda has a simple job of accessing KMS endpoint and listing all KMS-CMKS(s).

Gateway: Created a public API with /GET Resource mapped to lambda. Straight forward stuff.

Per my understanding, VPC only has one ingress point IG, not bringing peering or transit gateway or private links into the mix. Based on the above subnet design and routes, resources in the private subnet should not be accessible to requests coming from outside of VPC. Right?

However, when I issue the GET request to the API, API Gateway is able to invoke the lambda and able to get the results.

I am really confused. Any help will be appreciated.

Meanwhile, I will dig through the documentation.

Regards, Sandeep

1 Answer
Accepted Answer

API Gateway doesn't invoke the Lambda function using "the network" as you have defined it (VPC in this case).

When you create an integration between API Gateway and a Lambda function you authorise API Gateway to invoke the function; and you provide permissions in Lambda for API Gateway to invoke it (it's a two-way operation).

"Traffic" (in this case, the request from APi Gateway to Lambda and the response from Lambda to API Gateway) is carried across the AWS services control plane so you don't need to provide a network path for that to happen.

Any network traffic generated by the Lambda function (for example, accessing a database or calling another AWS service) will (in your case) will originate from the network interface Lambda has on your private subnet.

profile picture
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions