Security Group update to allow AWS Lambda function that is not attached to any VPC

Question

There are two applications. One application is developed through AWS Lambda (present in Account A) and other application is deployed in ECS Fargate (present in Account B) in AWS.

The first application (AWS Lambda) is consuming an API (from the second application ECS Fargate). I need to allow the AWS Lambda function to access the ECS application (which is behind Application Load balancer) through the inbound rule in the security group.

Problem is AWS Lambda is not attached to any VPC and both applications are running in separate AWS accounts. How to solve this problem?

Note: It is an internal application not internet facing.

score 0 · Answer 1 · answered Jul 04 '22 at 12:53

0

Note : Its internal application not internet facing.

If your ECS application's load balancer scheme is set to internal instead of public, then an AWS Lambda function that is not assigned to a VPC would never be able to access it. You are asking about security group rules, but there is no security group rule that will give something on the Internet access to a resource that is not exposed to the Internet.

Your only option to make this work is to move the Lambda function into a VPC, and establish VPC peering between the two VPCs.

answered Jul 04 '22 at 12:53

Mark B

183,023
24
297
295

ALB Scheme is internet facing only. – user2932395 Jul 04 '22 at 15:38
1

I assume by "internet facing only" you mean "public". If that's the case, why did you state it is not an Internet facing application? – Mark B Jul 04 '22 at 17:01
in security group, we haven't allowed to public access, so its only accessed inside the corporate network – user2932395 Jul 06 '22 at 08:56
One option is to add your Lambda function to a VPC with a NAT Gateway, and add that NAT Gateway's elastic IP to the security group. – Mark B Jul 06 '22 at 13:14

Security Group update to allow AWS Lambda function that is not attached to any VPC

1 Answers1