AWS call Lambda inside VPC to another Lambda in another VPC
Question
it is possible to call a lambda function that lives within a VPC from another lambda in another VPC.
I'm trying to do it with an AWS VPC Endpoint but I can't do it. It marks error 403. I am following these steps: https://aws.amazon.com/es/blogs/compute/introducing-amazon-api-gateway-private-endpoints/ .
And https://cedrus.digital/aws-privatelink-with-api-gateway-and-lambda-functions/
I am not sure, if the VPC Endpoint should be created in the VPC where the lambda will be called or where it will receive the request.
Even, the API Gateway Resource Policies has put it like this:
{
"Statement": [
{
"Principal": "*",
"Action": [
"execute-api:Invoke"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
And the VPC endpoint policy to Full access.
2 answers
solution1
3 2020-01-05 00:32:02
To invoke an AWS Lambda function via an API call, the calling entity must have access to the Internet. It doesn't matter whether the calling entity is in the same VPC, a different VPC, or even not in a VPC. All that matters is that the request can be sent to the AWS Lambda API endpoint.
If the calling Lambda function is in a VPC, make sure that it has access to the Internet. This typically requires:
- The Lambda function is in a private subnet
- There is a NAT Gateway in a public subnet
- The Route Table for the private subnet directs
0.0.0.0/0traffic to the NAT Gateway
Alternatively, if the calling Lambda function is not connected to a VPC, then it automatically receives access to the Internet.
It also does not matter to what the "called" Lambda function is connected (VPC or not). The control plane that activates this Lambda function is on the Internet, which is unrelated to where the Lambda function itself is connected.
solution2
3 ACCPTED 2020-01-05 01:20:09
There are few ways that you can invoke a lambda from another lambda.
Lambda invokes other lambda directly
when you invoke a lambda(caller) from another lambda(callee) using aws-sdk 's invoke function, as mentioned on a answer already, the lambda(caller) should have internet connectivity. because aws-sdk calls are by default made over the internet.
Therefore either the lambda should be deployed on a public subnet (not recommended) or you should have a Nat Gateway (or Nat instance is cheaper), so that the lambda can invoke the other lambda over the internet.
Lambda invokes the other lambda through Api Gateway
You don't even need to consider this option if the calling lambda has internet connectivity.
You can indeed create a private VPC endpoint for api gateway in the destination lambda end. Then the calling lambda can make a https call via the VPC endpoint's dns url.
For this to work, your VPC endpoint should be accessible from the other VPC from where you are going to make the http call.
therefore a vpc peering between the VPCs will make it possible. The good news is VPC endpoints are now accessible through vpc peering.
Hope this helps.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.