4

I have provisioned an AWS API Gateway and created a Lambda function to connect to an external REST API. The API Gateway & Lambda is not in a VPC so the egress IP address is random. The challenge I have is the external REST API is behind a firewall, which requires the IP address or subnet of the Lambda to be whitelisted.

I have looked at the AWS IP Address page (below), however there is no explicit mention of either API Gateway or Lambda.

https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#filter-json-file

Has anyone come across this before & found a resolution to it. For the purposes of this solution I cannot put the API Gateway & Lambdas in a VPC.

Any help would be greatly appreciated!

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
user10540547
  • 41
  • 1
  • 2
  • 1
    You should find that the egress addresses for Lambda functions are from the `EC2` blocks for the relevant region, and these blocks are far too large to submit to your vendor for whitelisting. @jarmod is correct, below -- using functions in a VPC with a NAT Gateway (or NAT Instance) with an elastic IP is the solution. – Michael - sqlbot Feb 15 '19 at 18:19

2 Answers2

8

API Gateway seems to be irrelevant to this discussion. If I understand your question, you're trying to make API requests from a Lambda function to a remote API server and you want those requests to originate from a known IP address so that you can whitelist that IP at the remote server.

First thing I would say is don't use IP whitelisting; use authenticated API requests instead.

If that's not possible then use VPC with an Internet Gateway (IGW). Create a NAT and an Elastic IP, launch the Lambda into a private subnet of that VPC, and route the subnet's non-local traffic to the NAT. Then whitelist the NAT's Elastic IP on the remote API server. Examples here and here.

I know that you said you "cannot put [...] Lambdas in a VPC", but if you don't then you have no control over the originating IP address.

jarmod
  • 71,565
  • 16
  • 115
  • 122
3

It is frustrating that the only way to ensure a Lambda function uses a static ip without a hack is to put the Lambda inside a VPC, create a NAT with an Elastic IP, as many other answers nicely explain.

However, NATs cost around $40 per month in regions that I am familiar with, even with minimal traffic. This may be cost prohibitive for certain use cases, such as if you need multiple dev/test/staging environments.

One possible workaround (which should be used with caution) is to create a micro EC2 instance with an elastic IP (which gives the static IP address), then your choice of proxy/routing so you can make HTTP calls by tunnelling from the Lambda function through the EC2 instance. (e.g. SSH from Lambda function into EC2 instance then CURL from EC2 to the endpoint which is protected by an allowlist)

This is a few extra hoops to jump through and could introduce security vulnerabilities which should be mitigated (e.g. Beware storing SSH keys or passwords inside a Lambda function, ensure Security Groups are tight) but I wanted to post this as a possible workaround for any devs who need a cost effective workaround for a requirement to connect to an endpoint which enforces allowlist rules.

pythonjsgeo
  • 5,122
  • 2
  • 34
  • 47
  • > "One possible workaround [...] then your choice of proxy/routing so you can make HTTP calls by tunnelling from the Lambda function through the EC2 instance" You don't need to resort to that kind of horrible hacks. Just have your EC2 instance NAT from the private subnet of the lambda to the internet gateway. – NewbiZ Oct 22 '21 at 05:32
  • To avoid the $40/M fee, i'm trying to fck-nat working, I feel like I'm nearly there, but it's very challenging getting it all working :'( – Jamie Nicholl-Shelley Jun 28 '23 at 14:58