AWS Lambda is serverless managed service. Lambda code will run without managing any server and provisioning any hardware. This post is not for Lambda feature but to Lambda Endpoint configuration. I am intend to keep that way.
Endpoints are used to connect AWS service programmatically. This connection uses “AWS privatelink“. In case organization does not want to expose VPC to public internet to communicate with AWS Lambda, endpoint comes to rescue. Endpoint is regional service.
Endpoint are two types –
I am using Endpoint Interface in my design. I have created two lambda function for testing. When endpoint is created and configured, we need to associate subnet with endpoint. Endpoint creates interface in environment and add allocate ip in all subnet where Endpoint is associated with. This interface\ip is been used for lambda invoking. Both lambda function will use same interface ip for communication.
Note : This is one of the usecase of endpoint. Main, usecase for endpoint is sharing lambda function or any other service as Software as service. Clients can share this service across AWS accounts or even across organization.
Above design, we can still implemented by defining VPC interface while creating Lamda function. Drawback here, if you have 10 lambda function to share in the VPC, we need 10 ip from subnet which is overkill. With endpoints you need just 1 ip to invoke all lambda function for given AWS account.
Download “lambda-endpoint-connection.yaml” file from below link –
Create user with access to run formation template.
Install AWS SDK and configure AWS environment. I am using “us-west-2” region. In case if you want use different region please use appropriate AMI from parameter. (My apologies, I have added all regions ami in parameter)
Open file “lambda-endpoint-connection.yaml” in any text editor and change following ur systemip. default value is ssh is allowed from all instances
Create and Download Ec2 instance keypair and update keypair name in this field. Download keypair key file same location as cloud formation template.
Add correct VPC cidr information. If not, default will be used.
Cloud formation template will create following resources(not all resource mentioned in list) –
- VpcName : VPC for this test
- Subnet1 : Subnet totally private except to ssh
- AppInternetGateway : Internet gateway used just to connect my system with EC2 instance.
- AppSecurityGroup : Allows port no 22 from my system to EC2 and allows all communication within VPC
- EC2AccessLambdaRole : This role allows EC2 instance to invoke lambda function.
- LambdaRole : This role allows Lambda function to create log groups in cloud watch to check print output in cloud watch
- RootInstanceProfile : Instance profile for instance. Uses EC2AccessLambdaRole for assuming permission
- EC2Instance : Instance to invoke lambda function
- LambdaFunction : First lambda function
- SecoundLambdaFunction : Second lambda function
- LambdaVPCEndpoint : Lambda vpc endpoint
Run following command to validate template is working fine
aws cloudformation validate-template –template-body file://lambda-endpoint-connection.yaml
Create Stack by executing following command –
aws cloudformation create-stack –stack-name lambdaEndpoint –template-body –capabilities CAPABILITY_IAM file://lambda-endpoint-connection.yaml
This will create stack in background it will take couple of minutes. Check your stack is created successful in Events section of cloud formation.
Ensure Stack is created successfully.
Stack outputs are saved in key value pair. Take a note of Instance publicIP. We need this output for ssh into EC2 instance to check lambda access. Take note of FirstLambdaFunction and SecondLambdaFunction values we need these value to invoke Lambda function.
Ensure two lambda functions created successfully. Keep a note of both function name. We need function name for invoking from our EC2 instance.
VPC – Endpoint configuration is created. EC2 instance internally created via private DNS name. That name is derived as <servicename>.<region_name>.amazonaws.com.
In out case servicename is “lambda”.
Endpoint assigns ip address in all allocated subnets. In our case we have assigned VPC to just one subnet so that it assigns single ip address. IP 10.1.1.78 is part of subnet where endpoint is associated with.
Assign security group to endpoint. In case need to stop access for any EC2 instances to access lambda function. This security group can be used for security reason. We can use Iam policy as well to restrict access from invoking Lambda function.
Policy definition. Full access allows any user or service to access lambda function. I highly recommend to restrict access from any services or EC2 instance via Endpoint policy and security group.
Endpoint creates network interface in VPC environment. IP is assigned to this network interface.
Subnet ip count also shows ip counts is reduced for /24 masked subnet.
Routed table has route with internet gateway to connect my system via ssh.
Security group only allows access to port 22 from entire world and all ports are open within VPC communication for inbound and outbound traffic.
Login to newly created instance use same keypair that created during pre-req phase –
Configure AWS with region “us-west-2” or select any region you may like to select.
To check list of functions using “aws lambda list-functions“
To invoke function use following command. We dont have access to any external https connection but we are still able to access lambda function.
- aws lambda invoke –function-name <first_function_name> first_response.json
- aws lambda invoke –function-name <second_function_name> second_response.json
Output from lambda function is saved into json format.
Reading output files. “body” key matches output from lambda function.
Cloud watch events. If payload is defined while invoking function, this will be visible in cloud watch event as well.
Delete stack to cleanup. Enter following command –
- aws cloudformation delete-stack –stack-name lambdaEndpoint
Lambda Endpoint is new feature and connects lambda via AWS privatelinks via AWS internal network. Again, security is elevated as no need to open your VPC to external traffic for lambda execution. Great way to use Lambda for function as service or using Lambda across multiple AWS accounts across organization.
Enjoy !!! Keep Building !!!!