CODEWITHSUNDEEP
amazon-web-servicesaws-lambdaamazon-redshiftamazon-vpc
Aleix
Aleix

Reputation: 461

Connecting Lambda with resources within a VPC

A Redshift cluster is within a VPC that has no direct exposure to internet, but can be reached with ssh tunneling.

I have a lambda function that needs to connect both to internet and this Redshift cluster.

What would be the more natural way to do it?

Should I try to ssh tunneling Redshift public IP from my lambda? How would I achieve this?

Should I put my lambda in another 'internet open' VPC and allow VPC peering? Would this mean security issues?

Thanks a lot.

Upvotes: 0

Views: 630

Answers (1)

John Rotenstein
John Rotenstein

Reputation: 270134

You basically have two choices:

  • Put the Lambda function in the same VPC as the Amazon Redshift cluster, or
  • Put the Lambda function outside the VPC

If the Lambda function is in the same VPC so that it can communicate with the Redshift cluster, and it also requires Internet access, then the configuration would be:

  • Attach the Lambda function to private subnet(s)
  • Create a NAT Gateway or a NAT Instance in a public subnet and update
  • Update the Route Table of the private subnet(s) to send Internet-bound traffic to the NAT Gateway/NAT Instance

If the Lambda function is outside the VPC, it would need some means of accessing the Redshift cluster. This would be rather messy and would probably be bad for security (eg exposing a port to the Internet). I advise against it.

There is a third method that I would not normally suggest, but might be suitable for you. It involves:

  • Associating the Lambda function with a public subnet
  • Attaching an Elastic IP address to the Elastic Network Internet (ENI) that is created by the Lambda function

When a Lambda function attaches to a subnet, it creates an ENI. This is the connection between the Lambda function and the VPC. (Actually, it's a connection between the containers that run the Lambda function, and the VPC.)

I noticed that I can attach an Elastic IP address to the ENI and this grants Internet access to the Lambda function. However, ENIs might be created/destroyed by the Lambda service, so this wouldn't necessarily keep working. That is, the ENI might not persist, so the Elastic IP address might not always be attached. Therefore, I advise to use this method with caution.

The "correct" method is to use a NAT Gateway or NAT Instance.

Upvotes: 2

Related Questions