Reputation: 321
How can I use a vpc security group to restrict inbound access to my Lambda?
I have a simply maked it with serverless endpoint for check some token. Lets say the path is "/checktoken". And want to access to it only with my Ip address, thats why connect my Lambda with VPC(2 private subnets and security group).
But problem is even I maked security group in/outbound rules as https with my IP address, I can request to the endpoint with different IP address.
I have used AWS = CloudFront + Route53 for DNS, Lambda + Api Gateway for endpoint.
I made a whitelist IP with resource policy in Api gateway which works, but its not the solution I want.
The required solution is vpc's security group should allow request only from whitelisted IP in its rule.
Upvotes: 2
Views: 12358
Answers (3)
Reputation: 1002
Try Black / White listing IPAdresses:
https://www.npmjs.com/package/serverless-secure
Upvotes: 0
Reputation: 35188
Adding the Lambda to a VPC will not direct traffic to the Lambda through your VPC.
In fact The Lambda is invoked through the Lambda API Service Endpoint, therefore inbound evaluation rules will have no effect on it at all. The purpose of a Lambda residing in a VPC is to access VPC resources.
The technical implementation is that an ENI is created in your VPC, that connects to the Lambda function in a shared AWS VPC. The Lambda is able to route out of its shared VPC to connect to resources.
When you configure your Lambda function to connect to your own VPC, it creates an elastic network interface in your VPC and then does a cross-account attachment. These network interfaces allow network access from your Lambda functions to your private resources. These Lambda functions continue to run inside of the Lambda service’s VPC and can now only access resources over the network through your VPC.
You will need to add these IP whitelists at either the CloudFront level through the use of a AWS WAF (using an IPSet), or through the API Gateway as a WAF or Policy (as you mentioned above).
Upvotes: 11
Reputation: 238319
thats why connect my Lambda with VPC(2private subnets and security group)
Placing lambda function in a VPC and giving it a security group does not have effect on whether the API gateway can invoke it or not.
API gateway does not use elastic network interface (ENI) of the lambda in the VPC to invoke it. Its done using Lambda service endpoint.
You can use WAF to control access to your CloudFront distribution:
Upvotes: 7
Related Questions
- How do you assign a VPC and security group to a Lambda in AWS CDK?
- Allow AWS Lambda to access RDS Database
- What do I need to allow for my Security group to receive inbound traffic from SQS in lambda?
- How to restrict access to a lambda
- Restrict lambda permissions to access VPCs
- AWS Lambda service can't access target group when VPC is enabled
- AWS Lambda to access EC2 with appropriate security group settings
- Limit access to lambda or api gateway to a specific vpc
- How to add inbound rule to AWS security group with my default VPC?
- Security group for AWS Lambda to access RDS