24

Is it possible to create a Serverless Framework Lambda deployment where the Lambda is deployed into an existing VPC's SecurityGroup? I don't want the service deployment or it's stack to own an of the network artifacts?

Ryan Fisch
  • 2,614
  • 5
  • 36
  • 57

3 Answers3

34

Yes it is. The vpc configuration in serverless.yml just needs to reference existing subnets and security groups. Something like this:

vpc:
    securityGroupIds:
      - securityGroupId1
      - securityGroupId2
    subnetIds:
      - subnetId1
      - subnetId2

Take a look at https://serverless.com/framework/docs/providers/aws/guide/functions/#vpc-configuration

Brian Winant
  • 2,915
  • 15
  • 17
  • @Brian This doesn't work. For some reason VPC is not getting added. – node_saini Aug 26 '19 at 11:13
  • 6
    Note that if you have already deployed your serverless api, you may need to use `sls deploy --force` or even delete and redeploy your serverless api. – Derrops Aug 28 '19 at 02:59
  • If you want to create an interface vpc endpoint to allow the lambda to connect to a service, how do you give the vpc Id while creating the vpc endpoint via clouformation ? – iammrmehul Oct 21 '19 at 11:49
  • You can export the VPC id in CloudFormation using Outputs and then reference the VPC id in Serverless using ${cf:WhateverYourExportedVPCOutputNameIs} – Brian Winant Oct 23 '19 at 00:49
8

The following setup worked perfectly for me in Serverless version 1.51.0. I included staging variables, since my environments use different subnets and security groups for logical isolation. My network setup is an already existing VPC with subnets and security groups.

provider:
  name: aws
  ....
  ....
  vpc:
    securityGroupIds:
      - ${self:custom.securityGroupId.${self:provider.stage}}
    subnetIds:
      - ${self:custom.subnetId.${self:provider.stage}}

custom:
  stages:
    - tst
    - dev
    - prd
  securityGroupId:
    local: sg-local
    tst: sg-tst
    dev: sg-dev
    prd: sg-prd
  subnetId:
    local: subnet-local
    tst: subnet-tst
    dev: subnet-dev
    prd: subnet-prd


plugins:
  - serverless-stage-manager
Cloudkollektiv
  • 11,852
  • 3
  • 44
  • 71
5

An extension to the answer provided by @Nebulastic.

This is when you want to configure your VPC Lambda's to execute from more than one subnet for various Stages.

provider:
  name: aws
  vpc:
    securityGroupIds:
      - ${self:custom.securityGroupId.${self:provider.stage}}
    subnetIds:
      - ${self:custom.subnetId1.${self:provider.stage}}
      - ${self:custom.subnetId2.${self:provider.stage}}
      - ${self:custom.subnetId3.${self:provider.stage}}

custom:
  stage: ${opt:stage, self:provider.stage}

  securityGroupId:
    prod: sgId-prod
    test: sgId-test
    dev: sgId-dev
  subnetId1:
    prod: subnetId1-prod
    test: subnetId1-test
    dev: subnetId1-dev
  subnetId2:
    prod: subnetId2-prod
    test: subnetId2-test
    dev: subnetId2-dev
  subnetId2:
    prod: subnetId3-prod
    test: subnetId3-test
    dev: subnetId3-dev
kiran01bm
  • 682
  • 7
  • 18
  • Your solution relies on each stage having the same number of the elements. What if prod has three subnets but dev only has two? Is there a way to reference the entire array rather than just individual elements? – Jacob Stamm May 17 '23 at 15:54