Configuring a Lambda function to access resources in a VPC - AWS Lambda

Configuring a Lambda function to access resources in a VPC

You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your AWS account. Use Amazon Virtual Private Cloud (Amazon VPC) to create a private network for resources such as databases, cache instances, or internal services. Connect your function to the VPC to access private resources during execution.

To connect a function to a VPC

  1. Open the Lambda console Functions page.

  2. Choose a function.

  3. Under VPC, choose Edit.

  4. For VPC connection, choose Custom VPC.

  5. Choose a VPC, subnets, and security groups.

    Note

    Connect your function to private subnets to access private resources. If your function needs internet access, use network address translation (NAT). Connecting a function to a public subnet doesn't give it internet access or a public IP address.

  6. Choose Save.

When you connect a function to a VPC, Lambda creates an elastic network interface for each combination of security group and subnet in your function's VPC configuration. This process can take about a minute.

While Lambda creates a network interface, you can't perform additional operations that target the function, such as creating versions or updating the function's code. For new functions, you can't invoke the function until its state changes from Pending to Active. For existing functions, you can still invoke an earlier version while the update is in progress. For more information about function states, see Monitoring the state of a function with the Lambda API.

Multiple functions connected to the same subnets share network interfaces. Connecting additional functions to a subnet that has an existing Lambda-managed network interface is much quicker than having Lambda create additional network interfaces. However, if you have many functions or functions with high network usage, Lambda might still create additional network interfaces.

If your functions aren't active for a long period of time, Lambda reclaims its network interfaces, and the functions become Idle. To reactivate an idle function, invoke it. This invocation fails, and the function enters a Pending state again until a network interface is available.

Lambda functions can't connect directly to a VPC with dedicated instance tenancy. To connect to resources in a dedicated VPC, peer it to a second VPC with default tenancy.

Execution role and user permissions

Lambda uses your function's permissions to create and manage network interfaces. To connect to a VPC, your function's execution role must have the following permissions:

Execution role permissions

  • ec2:CreateNetworkInterface

  • ec2:DescribeNetworkInterfaces

  • ec2:DeleteNetworkInterface

These permissions are included in the AWS managed policy AWSLambdaVPCAccessExecutionRole.

When you configure VPC connectivity, Lambda uses your permissions to verify network resources. To configure a function to connect to a VPC, your AWS Identity and Access Management (IAM) user needs the following permissions:

User permissions

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSubnets

  • ec2:DescribeVpcs

Configuring VPC access with the Lambda API

To connect a Lambda function to a VPC, you can use the following API operations:

To create a function and connect it to a VPC using the AWS Command Line Interface (AWS CLI), you can use the create-function command with the vpc-config option. The following example creates a function with a connection to a VPC with two subnets and one security group.

$ aws lambda create-function --function-name my-function \ --runtime nodejs12.x --handler index.js --zip-file fileb://function.zip \ --role arn:aws:iam::123456789012:role/lambda-role \ --vpc-config SubnetIds=subnet-071f712345678e7c8,subnet-07fd123456788a036,SecurityGroupIds=sg-085912345678492fb

To connect an existing function to a VPC, use the update-function-configuration command with the vpc-config option.

$ aws lambda update-function-configuration --function-name my-function \ --vpc-config SubnetIds=subnet-071f712345678e7c8,subnet-07fd123456788a036,SecurityGroupIds=sg-085912345678492fb

To disconnect your function from a VPC, update the function configuration with an empty list of subnets and security groups.

$ aws lambda update-function-configuration --function-name my-function \ --vpc-config SubnetIds=[],SecurityGroupIds=[]

Using IAM condition keys for VPC settings

You can use Lambda-specific condition keys for VPC settings to provide additional permission controls for your Lambda functions. For example, you can require that all functions in your organization are connected to a VPC. You can also specify the subnets and security groups that the function's users can and can't use.

Lambda supports the following condition keys in IAM policies:

  • lambda:VpcIds – Allow or deny one or more VPCs.

  • lambda:SubnetIds – Allow or deny one or more subnets.

  • lambda:SecurityGroupIds – Allow or deny one or more security groups.

The Lambda API operations CreateFunction and UpdateFunctionConfiguration support these condition keys. For more information about using condition keys in IAM policies, see IAM JSON Policy Elements: Condition in the IAM User Guide.

Tip

If your function already includes a VPC configuration from a previous API request, you can send an UpdateFunctionConfiguration request without the VPC configuration.

Example policies with condition keys for VPC settings

The following examples demonstrate how to use condition keys for VPC settings. After you create a policy statement with the desired restrictions, append the policy statement for the target IAM user or role.

Ensure that users deploy only VPC-connected functions

To ensure that all users deploy only VPC-connected functions, you can deny function create and update operations that don't include a valid VPC ID.

Note that VPC ID is not an input parameter to the CreateFunction or UpdateFunctionConfiguration request. Lambda retrieves the VPC ID value based on the subnet and security group parameters.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceVPCFunction", "Action": [ "lambda:CreateFunction", "lambda:UpdateFunctionConfiguration" ], "Effect": "Deny", "Resource": "*", "Condition": { "Null": { "lambda:VpcIds": "true" } } } ] }

Deny users access to specific VPCs, subnets, or security groups

To deny users access to specific VPCs, use StringEquals to check the value of the lambda:VpcIds condition. The following example denies users access to vpc-1 and vpc-2.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceOutOfVPC", "Action": [ "lambda:CreateFunction", "lambda:UpdateFunctionConfiguration" ], "Effect": "Deny", "Resource": "*", "Condition": { "StringEquals": { "lambda:VpcIds": ["vpc-1", "vpc-2"] } } }

To deny users access to specific subnets, use StringEquals to check the value of the lambda:SubnetIds condition. The following example denies users access to subnet-1 and subnet-2.

{ "Sid": "EnforceOutOfSubnet", "Action": [ "lambda:CreateFunction", "lambda:UpdateFunctionConfiguration" ], "Effect": "Deny", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "lambda:SubnetIds": ["subnet-1", "subnet-2"] } } }

To deny users access to specific security groups, use StringEquals to check the value of the lambda:SecurityGroupIds condition. The following example denies users access to sg-1 and sg-2.

{ "Sid": "EnforceOutOfSecurityGroups", "Action": [ "lambda:CreateFunction", "lambda:UpdateFunctionConfiguration" ], "Effect": "Deny", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "lambda:SecurityGroupIds": ["sg-1", "sg-2"] } } } ] }

Allow users to create and update functions with specific VPC settings

To allow users to access specific VPCs, use StringEquals to check the value of the lambda:VpcIds condition. The following example allows users to access vpc-1 and vpc-2.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceStayInSpecificVpc", "Action": [ "lambda:CreateFunction", "lambda:UpdateFunctionConfiguration" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "lambda:VpcIds": ["vpc-1", "vpc-2"] } } }

To allow users to access specific subnets, use StringEquals to check the value of the lambda:SubnetIds condition. The following example allows users to access subnet-1 and subnet-2.

{ "Sid": "EnforceStayInSpecificSubnets", "Action": [ "lambda:CreateFunction", "lambda:UpdateFunctionConfiguration" ], "Effect": "Allow", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "lambda:SubnetIds": ["subnet-1", "subnet-2"] } } }

To allow users to access specific security groups, use StringEquals to check the value of the lambda:SecurityGroupIds condition. The following example allows users to access sg-1 and sg-2.

{ "Sid": "EnforceStayInSpecificSecurityGroup", "Action": [ "lambda:CreateFunction", "lambda:UpdateFunctionConfiguration" ], "Effect": "Allow", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "lambda:SecurityGroupIds": ["sg-1", "sg-2"] } } } ] }

Internet and service access for VPC-connected functions

By default, Lambda runs your functions in a secure VPC with access to AWS services and the internet. Lambda owns this VPC, which isn't connected to your account's default VPC. When you connect a function to a VPC in your account, the function can't access the internet unless your VPC provides access.

Note

Several AWS services offer VPC endpoints. You can use VPC endpoints to connect to AWS services from within a VPC without internet access.

Internet access from a private subnet requires network address translation (NAT). To give your function access to the internet, route outbound traffic to a NAT gateway in a public subnet. The NAT gateway has a public IP address and can connect to the internet through the VPC's internet gateway. For more information, see How do I give internet access to my Lambda function in a VPC?

Sample VPC configurations

You can use the following sample AWS CloudFormation templates to create VPC configurations to use with Lambda functions. There are two templates available in this guide's GitHub repository:

  • vpc-private.yaml – A VPC with two private subnets and VPC endpoints for Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB. Use this template to create a VPC for functions that don't need internet access. This configuration supports use of Amazon S3 and DynamoDB with the AWS SDKs, and access to database resources in the same VPC over a local network connection.

  • vpc-privatepublic.yaml – A VPC with two private subnets, VPC endpoints, a public subnet with a NAT gateway, and an internet gateway. Internet-bound traffic from functions in the private subnets is routed to the NAT gateway using a route table.

To create a VPC using a template, on the AWS CloudFormation console Stacks page, choose Create stack, and then follow the instructions in the Create stack wizard.