AWS Lambda function via Function URL invoke only within VPC

Question

I have a lambda function in AWS inside a VPC. I want to attach http handler (function URL).

The problem is, if I enable the function URL then it creates a public endpoint.

Alternatives I don't want to use

• enable AWS_IAM security (then the caller will need to use AWS SKD and get token and all)
• API gateway trigger (I am already using API gateway as proxy to kubernetes Ingress, I don't want to diverge that)
• ALB (I am already using k8s ingress, which creates ALB, so I want the proxy to be created manually by code, not using lambda configuration)

Is there a way we can create AWS Lambda function URL but it should be accessible only within VPC without involving AWS SKD? (like wget URL)

Answer 1

It's a bit late, but nonetheless, the Function URL is always public, and there is no way to make it private as the documentation states (at least at the time of posting this):

You can access your function URL through the public Internet only. While Lambda functions do support AWS PrivateLink, function URLs do not.

You can find more information here https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html.

There is another way to invoke the Lambda function privately from a VPC, using VPC Lattice, but this is meant for architectures where you have several services and not an ad-hoc Lambda. However, nothing prevents you from using it for just one Lambda.

Hope it helps.

Answer 2

I looked into this for a similar use-case, eventually I went with a direct lambda Invoke from the SDK, using the RequestResponse InvocationType to obtain the response payload. This suited my needs, but it might not suit your case.

InvokeResponse response = await lambdaClient.InvokeAsync(new InvokeRequest() {
    FunctionName = "LambdaFunctionName",
    InvocationType = InvocationType.RequestResponse,
    Payload=data
});