12

I am running AWS Lambda functions in a VPC.

And during the course of the project I have hit problems because:

  • no access to my database - had to solve this somehow
  • no access to AWS SES - had to find workaround
  • no access to AWS SQS -removed all queuing functionality from Lambda functions
  • no access to external Internet - still don't know how to implement ReCapthca without Internet access
  • no access to AWS Cognito - cannot get information about logged in users

I COULD implement a NAT gateway in the VPC but what is the point of serverless if I have to run a NAT server instance? That's not serverless.

So finally AWS has worn me down and I have decided to give up on running my AWS Lambda functions in a VPC - without endpoints for Internet proxying and the various AWS services its just too hard.

SO my question is - what is the downside/disadvantage of running my AWS Lambda functions with no VPC?

Ramón J Romero y Vigil
  • 17,373
  • 7
  • 77
  • 125
Duke Dougal
  • 24,359
  • 31
  • 91
  • 123

4 Answers4

15

If you need access to resources within a VPC, then run your AWS Lambda function within a VPC. If you do not require this access, then do not run it within a VPC.

If you require Internet access, then you should connect your Lambda functions to a Private Subnet and use a NAT Gateway, which is a fully-managed NAT so you can remain serverless. It will solve the problems you listed.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 4
    As John says, there are more downsides to running it in a VPC than outside a VPC. Outside the VPC it would automatically have Internet access. Cold starts outside the VPC would be faster because it wouldn't need to create an ENI to access your VPC. Don't run a Lambda function inside a VPC unless your function needs to access resources that exist inside your VPC. – Mark B Aug 09 '17 at 22:52
  • Should I run lambda function in VPC: http://docs.aws.amazon.com/lambda/latest/dg/best-practices.html#lambda-vpc – wanghq Oct 17 '17 at 23:43
  • 3
    @MarkB "Outside the VPC it would automatically have Internet access." didn't know this before. Thanks! – Sateesh Pagolu Apr 02 '18 at 04:51
  • @MarkB if a Lambda function runs inside the Default VPC (which has internet access by default), would it be able to access SQS? – Alisson Reinaldo Silva Jul 23 '20 at 16:48
  • 1
    @Alisson a default VPC is no different from other VPCs in this regard. What you are referring to as "internet access by default" is just a public subnet with an internet gateway attached. You would have to add a NAT Gateway to the VPC, and private subnets with a route to the NAT, and then place the Lambda functions in private subnet in order to give it Internet access. Or add an SQS VPC endpoint to the VPC. – Mark B Jul 23 '20 at 18:18
  • @MarkB after reading more, I understand why Lambda in public subnet with IGW doesn't have internet access. The ENI associated with Lambda doesn't have EIP. My function needs internet access, so placing it in a private subnet with a NAT Gateway solves it. But what about attaching EIP to the ENI instead? I tested and it worked. It seems like in the past this wouldn't work because new lambda instances would launch new ENIs, but [AWS recently improved this](https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/). – Alisson Reinaldo Silva Jul 26 '20 at 21:53
5

AWS has provided a reference document for Lambda deployments: Serverless Application Lens, AWS Well-Architected Framework. In it they provide the following decision tree:

Decision tree for deploying a Lambda function in a VPC

The only major downside noted is that a Lambda outside of a VPC cannot directly access private resources within a VPC.

Ramón J Romero y Vigil
  • 17,373
  • 7
  • 77
  • 125
1

One reason to create a Lambda in a VPC would be that you have a specific IP or IP range for it. This could be the case if a system just accepts calls from a specific IP which would need to be whitlistet for it.

Fix IP for Lambda function is discussed here: Is there a way to assign a Static IP to a AWS Lambda without VPC?

Downside of not having Lambda in VPC: Not having specific IP / IP-range for your Lambda function.

Manu
  • 43
  • 1
  • 7
-2

In the end I stayed with the VPC but I added an EC2 instance into the VPC and ran TinyProxy on it. I then configured my AWS Lambda functions with the environment variable:

HTTPS_PROXY https://ip-10-0-1-53.eu-west-1.compute.internal:8888

boto3 picked up the environment variable and sent all requests to the proxy. This seems to work fine without the complexity of a NAT gateway.

Duke Dougal
  • 24,359
  • 31
  • 91
  • 123
  • 1
    You do understand that a "NAT Gateway" in the AWS sense is not a server... right? The NAT Gateway service is a function of the network infrastructure which, once provisioned, "just works." It doesn't run on a VM and doesn't require maintenance or monitoring. – Michael - sqlbot Aug 09 '17 at 10:42
  • 2
    @michael-sqlbot - yes but you need to pay by the hour the the NAT gateway, so its the same thing to me. – Duke Dougal Aug 09 '17 at 21:09
  • 5
    @DukeDougal I believe he is specifically commenting on your statement "without the complexity of a NAT gateway". Your solution was more complex than using a NAT gateway would have been, and is now a single point of failure. – Mark B Aug 09 '17 at 22:54
  • 1
    Running a small ec2 instance is $0.02 an hour or less. For many of us, using lambda is free. Setting up lambda with a NAT for $0.045 an hour pretty much completely voids any reason to use it (if it needs to be in the vpc, obviously outside the vpc, everything is fine). The proxy is a nice idea, but unless you really need the free computing from lambda, I'm thinking you might as well just run your lambda function as a normal program from the ec2 instance – chrismarx Jun 14 '18 at 13:28