1 個回答
- 最新
- 最多得票
- 最多評論
0
Hi,
I would suggest to have Lambdas outside your VPC and have those Lambdas do the repository accesses over the Internet based on their default configuration:
see https://docs.aws.amazon.com/lambda/latest/operatorguide/networking-vpc.html
**By default, Lambda functions have access to the public internet. **
This is not the case after they have been configured with access to one of your VPCs. If you continue to need access to resources on the internet, set up a NAT instance or Amazon NAT Gateway. Alternatively, you can also use VPC endpoints to enable private communications between your VPC and supported AWS services.
They will act as a proxy to your ECS containers: those containers will use the Lambda invoke() API to request access to a given repo. The Lambda will store the content of the repo in a S3 bucket that your ECS instances can access securely via an additional service endpoint.
If this is your only use of NAT, you can then suppress use of NAT and Internet Gateway to reduce your costs as expected.
Additional benefit: better security posture since your VPC is now fully closed.
Best,
Didier
相關內容
AWS 官方已更新 1 年前- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
Hi, Thank you for sharing the approach, but it will add complexity in my arch.