amazon-web-servicesaws-lambdaaws-api-gatewayamazon-vpcvpc-endpoint

Calling a private APIGateway Fronted non-VPC Lambda From within a VPC


Given an AWS Lambda that does not need access to resources within a VPC, the well architected serverless lens recommends not putting the function in a VPC.

However, my Lambda will sit behind an APIGateway to facilitate a REST endpoint that needs to be accessed by servers that do sit within a VPC.

How can a VPC-less Lambda sit behind an APIGateway that itself is accessible within a VPC?

I would prefer that my APIGateway not be exposed to the public internet, therefore instantiating a public APIGateway and calling that public IP address from within my VPC via Nat gateway is not an acceptable solution.

Thank you in advance for your consideration and response.


Solution

  • Invoking an AWS Lambda function will always be done via the public AWS API. It doesn't matter if the Lambda function is configured to run in the VPC once it is invoked, it still has to be invoked via the public AWS API.

    AWS Lambda functions do not sit running idle in your VPC waiting for an invocation request to come in. The whole point of Lambda functions is that they do not exist at all until they are needed to process a request, at which point the AWS infrastructure creates an instance of your function, and then passes it the request info to process.

    If you add an AWS Lambda function to your VPC, all that does is attach an ENI from your VPC to the Lambda function at the time it is executing, so that it can use the network connection provided by that ENI to access resources inside your VPC.

    The API Gateway service itself also does not run inside your VPC. Both API Gateway and Lambda exist outside your VPC, and API Gateway will have no problems accessing the public AWS API to invoke a Lambda function.

    When you make your API Gateway VPC only, the API Gateway service (servers) still exists outside the VPC, it just makes the API Gateway accessible at a private address inside your VPC, via a network gateway to the API Gateway service.