Should we keep AWS Lambda inside VPC if white listing is required?

Question

We are implementing few lambda functions which need to place HTTP call to third party. Third party has policy of white listing and we need to provide IP range so that Lambda can access third party system. Earlier we thought about keeping it outside VPC but with this we may have to give AWS IP address range for white listing. Exposing AWS IP range for whitelisting may have two concerns:

1. This is big range and thirdparty will not allow to whitelist this range.

2. I heard this range keeps on changing. We may end up asking thirdparty to change this again and again.

Finally we decided to keep lambda inside VPC. But, I would like to be sure that is this white listing need a valid reason to keep lambda inside VPC? Or is there another way of handling white listing concern without keeping lambda inside VPC (as there is additional overhead keeping lambdas inside VPC).

Answer 1

Lambda with VPC will give you an advantage that you don't need to give a big range of IP address range to the third party as you can use NAT gateway and NAT gateway uses EIP (Elastic IP) which are fixed, however, there is a common problem in Lambda in VPC because it creates ENI in your VPC and every ENI needs an IP address , this can be a problem if you have smaller classless CIDR range for subnet and you won't enough IP left and Lambda execution fails. You need to give ENI/VPC resources permission to Lambda role so it can delete the ENIs.

A good solution would be to use HTTP header based restriction if third part supports it. You can add some specific header and it's value and the destination can only allow it if the header is present, this way you don't need IP based whitelisting and can launch lambda without VPC. It's like a WAF solution.