Work with AWS VPC, Lambda and Internet

AWS VPC means a VLAN for a user, the all potential network resource might allocated within this VLAN with private IP addresses, such as EC2, EFS etc.

There is a list( on AWS services which need VPC configuration or not.

By default

Amazon API Gateway // Amazon CloudFront // Amazon CloudWatch // Amazon Comprehend // Amazon DynamoDB // Amazon EventBridge // Amazon Kinesis // Amazon Lex // Amazon Pinpoint // Amazon Polly // Amazon Rekognition // Amazon S3 // Amazon SNS // Amazon SQS // AWS Step Functions // Amazon Textract // Amazon Transcribe // Amazon Translate

Requires VPC

Amazon ECS // Amazon EFS // Amazon ElastiCache // Amazon Elasticsearch Service // Amazon MSK // Amazon MQ // Amazon RDS // Amazon Redshift

If you didn't assign any VPC to your Lambda, each Lambda would have its own local IP address starting with 169.254, not your typical standard 172.16. It means the Lambda instance was allocated within yet another LAN, as Docker does. If you're familiar with network configuration, you would know that in order to establish communication between 2 different LANs, a route/gateway/NAT would be needed, and there might be extra limits for the network access.

The problem is, sometimes the Lambda might have to use RDS, EFS or ElasticCache, it has to work with VPC. In the meantime, if this Lambda has to access the Internet too, you would have to create a VPC NAT as the link here, which involves extra cost.


How to solve this problem ? You should consider your architecture based on these questions

  1. Which part service really needs Internet access ?
  2. Is that possible to decouple Internet access from AWS service ?

In terms of cost, Lambda is significantly less expensive than EC2 instances. When your service is going to heavily use Lambda, you will have to split the functionalities into different Lambda functions, and Lambda will invoke the dependent Lambda during the execution. It means if a Lambda has to use VPC service, it should be isolated from Internet. As this chart.

There are 3 Lambda functions which are represented as microservices and only communicate with the resources they have to deal with. This hybrid architecture work for nearly all the possible cases, but it requires a good design for micro services.

There is another solution, which is to use EC2+Kubernetes completely.

All EC2 instances are staying in VPC, and they could access Internet, it means you would have to manage all the resources and software stack by yourself, without benefit from stock AWS services.

The good thing is that this architecture is compatible everywhere even for different cloud service providers. All K8s Pods could access both K8s cluster and Internet, and the K8s clusterwould be benefit from EC2 Spot Instance a lot, as Horizontal Pod Autoscaling, to execute the non-persistent service over the EC2 Spot Instance as DaemonSet.

I hope this helps you with AWS development.

posted on 2022-10-21 12:17  Bo Schwarzstein  阅读(30)  评论(0编辑  收藏  举报