Connecting inbound interface VPC endpoints for Lambda
If you use Amazon Virtual Private Cloud (Amazon VPC) to host your Amazon resources, you can establish a connection between your VPC and Lambda. You can use this connection to invoke your Lambda function without crossing the public internet.
To establish a private connection between your VPC and Lambda, create an interface VPC endpoint. Interface endpoints are powered
by Amazon PrivateLink
Each interface endpoint is represented by one or more elastic network interfaces in your subnets. A network interface provides a private IP address that serves as an entry point for traffic to Lambda.
Sections
Considerations for Lambda interface endpoints
Before you set up an interface endpoint for Lambda, be sure to review Interface endpoint properties and limitations in the Amazon VPC User Guide.
You can call any of the Lambda API operations from your VPC. For example, you can invoke the Lambda function by
calling the Invoke API from within your VPC.
For the full list of Lambda APIs, see Actions in the Lambda API
reference.
use1-az3 is a limited capacity Region for Lambda VPC functions. You shouldn't use subnets in
this availability zone with your Lambda functions because this can result in reduced zonal redundancy in the event of an outage.
Keep-alive for persistent connections
Lambda purges idle connections over time, so you must use a keep-alive directive to maintain persistent connections. Attempting to reuse an idle connection when invoking a function results in a connection error. To maintain your persistent connection, use the keep-alive directive associated with your runtime. For an example, see Reusing Connections with Keep-Alive in Node.js in the Amazon SDK for JavaScript Developer Guide.
Billing Considerations
There is no additional cost to access a Lambda function through an interface endpoint. For more Lambda pricing
information, see Amazon Lambda Pricing
Standard pricing for Amazon PrivateLink applies to interface endpoints for Lambda. Your Amazon account is billed for
every hour an interface endpoint is provisioned in each Availability Zone and for data processed through the
interface endpoint. For more interface endpoint pricing information, see Amazon PrivateLink pricing
VPC Peering Considerations
You can connect other VPCs to the VPC with interface endpoints using VPC peering. VPC peering is a networking connection between two VPCs. You can establish a VPC peering connection between your own two VPCs, or with a VPC in another Amazon account. The VPCs can also be in two different Amazon Regions.
Traffic between peered VPCs stays on the Amazon network and does not traverse the public internet. Once VPCs are peered, resources like Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) instances, or VPC-enabled Lambda functions in both VPCs can access the Lambda API through interface endpoints created in the one of the VPCs.
Creating an interface endpoint for Lambda
You can create an interface endpoint for Lambda using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.
To create an interface endpoint for Lambda (console)
-
Open the Endpoints page
of the Amazon VPC console. -
Choose Create Endpoint.
-
For Service category, verify that Amazon services is selected.
-
For Service Name, choose com.amazonaws.
region.lambda. Verify that the Type is Interface. -
Choose a VPC and subnets.
-
To enable private DNS for the interface endpoint, select the Enable DNS Name check box.
-
For Security group, choose one or more security groups.
-
Choose Create endpoint.
To use the private DNS option, you must set the enableDnsHostnames and
enableDnsSupportattributes of your VPC. For more information, see Viewing and updating DNS support for your VPC
in the Amazon VPC User Guide. If you enable private DNS for the interface endpoint, you can make
API requests to Lambda using its default DNS name for the Region, for example,
lambda.us-east-1.amazonaws.com. For more service endpoints, see Service endpoints and quotas in the
Amazon Web Services General Reference.
For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.
For information about creating and configuring an endpoint using Amazon CloudFormation, see the AWS::EC2::VPCEndpoint resource in the Amazon CloudFormation User Guide.
To create an interface endpoint for Lambda (Amazon CLI)
Use the create-vpc-endpoint command and specify the VPC ID, VPC endpoint type (interface),
service name, subnets that will use the endpoint, and security groups to associate with the endpoint's network
interfaces. For example:
aws ec2 create-vpc-endpoint --vpc-id vpc-ec43eb89 --vpc-endpoint-type Interface --service-name \ com.amazonaws.us-east-1.lambda --subnet-id subnet-abababab --security-group-id sg-1a2b3c4d
Creating an interface endpoint policy for Lambda
To control who can use your interface endpoint and which Lambda functions the user can access, you can attach an endpoint policy to your endpoint. The policy specifies the following information:
-
The principal that can perform actions.
-
The actions that the principal can perform.
-
The resources on which the principal can perform actions.
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Example: Interface endpoint policy for Lambda actions
The following is an example of an endpoint policy for Lambda. When attached to an endpoint, this policy
allows user MyUser to invoke the function my-function.
Note
You need to include both the qualified and the unqualified function ARN in the resource.
{ "Statement":[ { "Principal": { "AWS": "arn:aws-cn:iam::111122223333:user/MyUser" }, "Effect":"Allow", "Action":[ "lambda:InvokeFunction" ], "Resource": [ "arn:aws-cn:lambda:us-east-2:123456789012:function:my-function", "arn:aws-cn:lambda:us-east-2:123456789012:function:my-function:*" ] } ] }