0

I have a lambda function which runs every 15 minutes and saves some data in DynamoDB.

Now I want to secure the DynamoDB call made by my lambda so that the request does not go via the Internet, rather through Amazon internal network. There is no EC2 instance involved here though.

I have seen a few recommendations for using PrivateLink which binds the Dynamo to VPC endpoints so that calls made from EC2 instances always go via internal network bypassing Internet.

I was wondering such a configuration is possible for lamda calling DynamoDB since lamda itself does not run in any EC2 instance and is rather serverless?

nightfly
  • 425
  • 2
  • 8
  • 18

3 Answers3

6

The first thing I would say is that all of your traffic between Lambda and DynamoDB is signed and encrypted, so that's typically sufficient.

There are use cases, most typically compliance reasons, when this is not sufficient. In that case you can deploy the Lambda function into a VPC of your making and configure the VPC with a private VPC endpoint for DynamoDB. Typically, the VPC would be configured without an internet gateway or NAT so that it has no egress route to the public internet. Be aware that your Lambda function startup latency will be higher than usual, because each Lambda function environment needs to attach an ENI for access to the private endpoint.

See Configuring a Lambda Function to Access Resources in an Amazon VPC.

jarmod
  • 71,565
  • 16
  • 115
  • 122
2

If you don't need to access resources in a VPC, AWS recommends not to run AWS Lambda functions in a VPC. From AWS Lambda Best Practices:

Don't put your Lambda function in a VPC unless you have to. There is no benefit outside of using this to access resources you cannot expose publicly, like a private Amazon Relational Database instance. Services like Amazon Elasticsearch Service can be secured over IAM with access policies, so exposing the endpoint publicly is safe and wouldn't require you to run your function in the VPC to secure it.

Running Lambda functions in VPC adds additionally complexity, which can negatively effect scalability and performance. Each Lambda function in a VPC needs an Elastic Network Interface (ENI). Provisioning ENI's is slow and the amount of ENI's you can have is limited, so when you scale up you can run into a shortage of ENI's, preventing your Lambda functions to scale up further.

Dunedan
  • 7,848
  • 6
  • 42
  • 52
  • 3
    If any one is coming across this now, this is no longer an issue (at least not at the scale it was before). AWS now uses shared ENIs and attaches them at function creation instead of invocation. You should still be mindful of ENI limits (250 per VPC as of this comment's posting) but so long as the security group/subnet combo is the same, they'll share ENIs. https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/ – KenLFG Jan 10 '20 at 04:49
  • What @KenLFG mentioned here is an important. AWS improved lambda a lot for the past few years. The anti-pattern that we faced with Lambda with VPC is no longer anti-pattern. – Hiro Feb 22 '21 at 14:08
  • FYI: Linked article is updated and no longer contains any recommendation regarding VPC – Ivan Samygin Mar 02 '23 at 22:53
1

This is one way to do it.

Step 1) Deploy your lambda inside VPC.

Step 2) Create VPC Endpoint to the DynamoDB.

This should help: https://aws.amazon.com/blogs/aws/new-vpc-endpoints-for-dynamodb/

Asdfg
  • 11,362
  • 24
  • 98
  • 175