AWS Lambda is a serverless computing platform which is highly used in building serverless and event driven architectures on AWS. By default, Lambda function runs in a default system managed VPC. However, it is possible to run Lambda inside your VPC and that too in the private subnet to access your resources over private network.
There is a classic use case if you’ve hosted your APIs using API Gateway and Lambda. If you’re in banking/financial domain, most of the target system needs your IP to be whitelisted. But how can you whitelist the IP address of a Lambda since we cannot assign Elastic IP to a Lambda function. Well, here is the solution which not only sends requests originated from Lambda using a static IP but also interacts with other resources without going over the internet.
Let’s explore how it can be implemented.
Let’s create a new VPC for this demonstration. You can use existing VPC and follow rest of the applicable steps.
Now add public and private subnets.
Create Internet Gateway and attach it with the VPC
Create NAT Gateway and map an Elastic IP address
Create one route table each for public and private subnets. Edit the route table for public subnet and add default route of 0.0.0.0/0 to go through Internet Gateway. Similarly, edit the route table for private subnet and add default route of 0.0.0.0/0 to go through NAT gateway.
Let’s create a new security group which will be used by Lambda function. This security group will have NO inbound rules and all the outbound traffic will be allowed, which is also default in case of security groups.
All the above steps are related to VPC configuration. Now let’s create a new Lambda function and configure the VPC settings as per our configuration done above.
As you might have noticed, I’ve configured the VPC, private subnet and security group created above. Now the Lambda function will run in my VPC instead of the default system VPC. Since we have mapped a NAT gateway with the private subnet, any request from this Lambda function will go through NAT gateway, which eventually has an Elastic IP configured. Now the target systems can whitelist the Elastic IP address.
To test this out, let’s make a simple call to google.com and get the response code. A response code of 200 confirms that our Lambda function is able to make calls external to our VPC.
I hope it will be helpful. As I mentioned earlier this is a very common use case and the fix is super easy.
As always, Happy Learning!
If you like it and you know it, please clap….