Is it possible to assign a public IP to a Lambda function in AWS?

Question

We need to access APIs in a corporate backend that accept calls only from authorised IP addresses.

At this moment our mobile clients are calling an AWS Lambda function that performs some transformations and then calls another service on an EC2 instance that has the authorised public IP address assigned. This second service performs the final call to the corporate backend returning the data to the lambda and then to the clients.

This is working fine, but it adds some unnecessary complexity to the architecture that we wish to avoid.

Is it possible to assign the public IP to the lambda function somehow to avoid having this extra service in EC2?

Thanks,

GA

Answer 1

The straightforward solution is this:

• create a NAT Instance or NAT Gateway with an Elastic IP address

• create a private VPC subnet which uses the NAT device as its default route

• deploy the Lambda function in VPC, associated with that private subnet.

Each Lambda container created will have an elastic network interface (ENI) on that private subnet, which means the NAT device will be its default gateway, which means the NAT device's EIP will be its source IP address for internally-originated connections that are bound for the Internet.

No change to the lambda function code, itself is required.

The above is the official solution.

Note also that with current technology, placing a Lambda funcion inside a VPC will have an impact on cold-start times, any time a new Elastic Network Interface (ENI) needs to be allocated.

When a Lambda function is configured to run within a VPC, it incurs an additional ENI start-up penalty.

https://docs.aws.amazon.com/lambda/latest/dg/vpc.html