Remove NAT Gateway and use Internet Gateway


I have created a Lambda function in the private subnet and am connecting to the internet using NAT Gateway. I want to connect to the internet using Internet Gateway instead of NAT Gateway.

Is it possible to do that?

If so, how do you do the conversion?

已提问 7 个月前272 查看次数
2 回答

Using a Lambda function to connect to the internet (from within a VPC) without NAT Gateway or a NAT instance is not supported.

Note that you can choose not to associate the Lambda function with a VPC - it will have direct internet access then.

Is there some other reason for using the Lambda function in a VPC? One option I've seen other customers use is to decouple the Lambda functions - have one that accesses APIs/data on the internet; and another to access private resources.

profile pictureAWS
已回答 7 个月前
profile picture
已审核 7 个月前
  • Thank you for your response.

    I will not associate Lambda function with a VPC

  • I couldn't identify any specific technical reasons for exclusively supporting NAT gateway or NAT instance without including an Internet Gateway. Is this intentional to prevent incoming access?

  • An internet gateway exists to provide your VPC with access to the "outside world" (the internet for all intents and purposes). It's designed for session that are initiated from outside the VPC to resources in the VPC (those with a public or Elastic IP); and also for those resources to initiate sessions from within the VPC to the rest of the world. A NAT Gateway is designed to do many:1 address translation - that is, allow many internal (to the VPC) resources to appear to come from a single IP address. And as you've mentioned, it is for session initiated from with the VPC; not the other way around. While you can have a private NAT Gateway (i.e. one without an internet gateway), the majority of use cases involve both together.

  • It turns out it is possible! By assigning an IP to the ENI created by Lambda, you can use an Internet Gateway instead of a NAT Gateway.

  • Be careful with that solution. EIPs or public IPs aren't assigned to Lambda ENIs automatically for a reason. The ENI may change at any time (for example, if there are no Lambda executions for a period of time). When the new ENI is created it won't have an Elastic/Public IP assigned.



Maybe the Lambda URLs would be a good solution for your use case:

This is only possible if you Lambda is called from the Internet to answer some requests and not if it needs to connect to other services on the Internet to get some data. I was unsure of what you mean by "am connecting to the internet using NAT"

Hope it helps!


profile pictureAWS
已回答 7 个月前
  • Thanks for your help. As suggested by Brettski-AWS, I will make the changes.

您未登录。 登录 发布回答。