Reputation: 26376
What is the downside of NOT running AWS Lambda functions in a VPC?
I am running AWS Lambda functions in a VPC.
And during the course of the project I have hit problems because:
- no access to my database - had to solve this somehow
- no access to AWS SES - had to find workaround
- no access to AWS SQS -removed all queuing functionality from Lambda functions
- no access to external Internet - still don't know how to implement ReCapthca without Internet access
- no access to AWS Cognito - cannot get information about logged in users
I COULD implement a NAT gateway in the VPC but what is the point of serverless if I have to run a NAT server instance? That's not serverless.
So finally AWS has worn me down and I have decided to give up on running my AWS Lambda functions in a VPC - without endpoints for Internet proxying and the various AWS services its just too hard.
SO my question is - what is the downside/disadvantage of running my AWS Lambda functions with no VPC?
Upvotes: 17
Views: 18279
Answers (4)
Reputation: 269826
If you need access to resources within a VPC, then run your AWS Lambda function within a VPC. If you do not require this access, then do not run it within a VPC.
If you require Internet access while connected to a VPC, then you should connect your Lambda functions to a Private Subnet and use a NAT Gateway, which is a fully-managed NAT so you can remain serverless. It will solve the problems you listed.
Upvotes: 17
Reputation: 17953
AWS has provided a reference document for Lambda deployments: Serverless Application Lens, AWS Well-Architected Framework. In it they provide the following decision tree:
The only major downside noted is that a Lambda outside of a VPC cannot directly access private resources within a VPC.
Upvotes: 11
Reputation: 43
One reason to create a Lambda in a VPC would be that you have a specific IP or IP range for it. This could be the case if a system just accepts calls from a specific IP which would need to be whitlistet for it.
Fix IP for Lambda function is discussed here: Is there a way to assign a Static IP to a AWS Lambda without VPC?
Downside of not having Lambda in VPC: Not having specific IP / IP-range for your Lambda function.
Upvotes: 1
Reputation: 26376
In the end I stayed with the VPC but I added an EC2 instance into the VPC and ran TinyProxy on it. I then configured my AWS Lambda functions with the environment variable:
HTTPS_PROXY https://ip-10-0-1-53.eu-west-1.compute.internal:8888
boto3 picked up the environment variable and sent all requests to the proxy. This seems to work fine without the complexity of a NAT gateway.
Upvotes: -2
Related Questions
- Why can I invoke this Lambda?
- Do I need to define huge VPC subnets in order to run many Lambda functions in parallel?
- Confusion of AWS Lambda inside VPC vs outside VPC
- Should we keep AWS Lambda inside VPC if white listing is required?
- Why use a VPC with AWS Lambda or AWS DynamoDB?
- Issue with VPC attached to Lambda function
- What it means when AWS Lambda is configured with VPC?
- When should I configure or not configure VPC in AWS Lambda functions
- AWS : Why Elasticache and RDS require a VPC whereas Elasticsearch and DynamoDb don't
- Is VPC enabled lambda architecture can be any better?