Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to assign a public IP to a Lambda function in AWS?

We need to access APIs in a corporate backend that accept calls only from authorised IP addresses.

At this moment our mobile clients are calling an AWS Lambda function that performs some transformations and then calls another service on an EC2 instance that has the authorised public IP address assigned. This second service performs the final call to the corporate backend returning the data to the lambda and then to the clients.

This is working fine, but it adds some unnecessary complexity to the architecture that we wish to avoid.

Is it possible to assign the public IP to the lambda function somehow to avoid having this extra service in EC2?

Thanks,

GA

like image 985
G A Avatar asked Dec 22 '16 07:12

G A


People also ask

Can AWS Lambda have public IP?

No, Lambda functions do not get a public IP, regardless of the auto-assign IPv4 address setting. They cannot have public IPs. To reach the internet, they must route through a NAT (which routes to an IGW).

How do I give Internet access to a Lambda function?

To give internet access to an Amazon VPC-connected Lambda function, route its outbound traffic to a NAT gateway or NAT instance in a public subnet. For more information, see Internet gateways in the Amazon VPC User Guide.

Can we assign Elastic IP to Lambda?

No. You cannot associate an Elastic IP (EIP) address with an AWS Lambda function.


1 Answers

The straightforward solution is this:

  • create a NAT Instance or NAT Gateway with an Elastic IP address

  • create a private VPC subnet which uses the NAT device as its default route

  • deploy the Lambda function in VPC, associated with that private subnet.

Each Lambda container created will have an elastic network interface (ENI) on that private subnet, which means the NAT device will be its default gateway, which means the NAT device's EIP will be its source IP address for internally-originated connections that are bound for the Internet.

No change to the lambda function code, itself is required.

The above is the official solution.

Note also that with current technology, placing a Lambda funcion inside a VPC will have an impact on cold-start times, any time a new Elastic Network Interface (ENI) needs to be allocated.

When a Lambda function is configured to run within a VPC, it incurs an additional ENI start-up penalty.

https://docs.aws.amazon.com/lambda/latest/dg/vpc.html

like image 176
Michael - sqlbot Avatar answered Sep 20 '22 14:09

Michael - sqlbot