Amazon Lambda VPC configuration in Amazon ParallelCluster
Amazon ParallelCluster uses Amazon Lambda to perform operations during the lifecycle of the cluster. An Amazon Lambda function always runs in a VPC owned by the Lambda service. This Lambda function can also be connected to private subnets in a virtual private cloud (VPC) to access private resources.
Note
Lambda functions can't connect directly to a VPC with dedicated instance tenancy. To connect to resources in a dedicated VPC, peer the dedicated VPC to a second VPC with a default tenancy that can connect to a dedicated VPC.
For more information, see Dedicated Instances in the Amazon EC2 User Guide for Linux Instances and How do I connect a Lambda function to a dedicated VPC?
Lambda functions that are created by Amazon ParallelCluster can be connected to a private VPC. These Lambda functions need to access Amazon Web Services services. You can provide access through the internet or VPC endpoints by using the following methods.
-
Internet access
To access the internet and Amazon Web Services services, a Lambda function requires network address translation (NAT). Route outbound traffic from your private subnet to a NAT gateway in a public subnet.
-
VPC endpoints
Several Amazon services offer VPC endpoints. You can use VPC endpoints to connect to Amazon Web Services services from a VPC that doesn't have internet access. To view the list of Amazon ParallelCluster VPC endpoints, see Networking.
Note
Every combination of subnets and security groups must provide access to Amazon Web Services services using one these methods. Subnets and security groups must be in the same VPC.
For more information, see VPC endpoints in the Amazon Virtual Private Cloud User Guide and Internet and service access for VPC-connected functions in the Amazon Lambda Developer Guide.
To configure the use of Lambda functions and VPCs, see DeploymentSettings / LambdaFunctionsVpcConfig for clusters or DeploymentSettings / LambdaFunctionsVpcConfig for images.