-2

Given an AWS Lambda that does not need access to resources within a VPC, the well architected serverless lens recommends not putting the function in a VPC.

However, my Lambda will sit behind an APIGateway to facilitate a REST endpoint that needs to be accessed by servers that do sit within a VPC.

How can a VPC-less Lambda sit behind an APIGateway that itself is accessible within a VPC?

I would prefer that my APIGateway not be exposed to the public internet, therefore instantiating a public APIGateway and calling that public IP address from within my VPC via Nat gateway is not an acceptable solution.

Thank you in advance for your consideration and response.

Ramón J Romero y Vigil
  • 17,373
  • 7
  • 77
  • 125

1 Answers1

2

Invoking an AWS Lambda function will always be done via the public AWS API. It doesn't matter if the Lambda function is configured to run in the VPC once it is invoked, it still has to be invoked via the public AWS API.

AWS Lambda functions do not sit running idle in your VPC waiting for an invocation request to come in. The whole point of Lambda functions is that they do not exist at all until they are needed to process a request, at which point the AWS infrastructure creates an instance of your function, and then passes it the request info to process.

If you add an AWS Lambda function to your VPC, all that does is attach an ENI from your VPC to the Lambda function at the time it is executing, so that it can use the network connection provided by that ENI to access resources inside your VPC.

The API Gateway service itself also does not run inside your VPC. Both API Gateway and Lambda exist outside your VPC, and API Gateway will have no problems accessing the public AWS API to invoke a Lambda function.

When you make your API Gateway VPC only, the API Gateway service (servers) still exists outside the VPC, it just makes the API Gateway accessible at a private address inside your VPC, via a network gateway to the API Gateway service.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • *Calling/executing an AWS Lambda function will always be done via the public AWS API* this isn't true, lambda supports vpc endpoints therefore the invocation doesn't have to go over the internet – Paolo Nov 04 '22 at 14:28
  • I never said it has to go "over the Internet". It does however have to go to that public API that I have linked. The VPC endpoint just sends requests from the VPC over to that public API, while keeping the network traffic inside the same AWS data center, instead of going out to the Internet and back. It still hits that same API. – Mark B Nov 04 '22 at 14:29
  • @Paolo to be clear, a VPC endpoint just provides a network connection from the VPC to the public AWS API servers. It doesn't create an entirely new private AWS API server just for your VPC. it just provides a network route from your VPC to the public API server, that doesn't use a VPC Internet Gateway. – Mark B Nov 04 '22 at 14:34
  • Right, so I think you should say "AWS API" instead of "public AWS API". Public implies internet facing generally. – Paolo Nov 04 '22 at 14:53