Typically, you create resources inside Amazon Virtual Private Cloud (Amazon VPC) so that they cannot be accessed over the public Internet. These resources could be AWS service resources, such as Amazon Redshift data warehouses, Amazon ElastiCache clusters, or Amazon RDS instances. They could also be your own services running on your own EC2 instances. By default, resources within a VPC are not accessible from within a Lambda function.
AWS Lambda runs your function code securely within a VPC by default. However, to enable your Lambda function to access resources inside your private VPC, you must provide additional VPC-specific configuration information that includes VPC subnet IDs and security group IDs. AWS Lambda uses this information to set up elastic network interfaces (ENIs) that enable your function to connect securely to other resources within your private VPC.
AWS Lambda does not support connecting to resources within Dedicated Tenancy VPCs. For more information, see Dedicated VPCs.
You add VPC information to your Lambda function configuration using the VpcConfig parameter, either at the time you create a Lambda function (see CreateFunction), or you can add it to the existing Lambda function configuration (see UpdateFunctionConfiguration). Following are AWS CLI examples:
-
The
create-functionCLI command specifies the--vpc-configparameter to provide VPC information at the time you create a Lambda function.$ aws lambda create-function \ --function-name ExampleFunction \ --runtime go1.x \ --role execution-role-arn \ --zip-file fileb://path/app.zip \ --handler app.handler \ --vpc-config SubnetIds=comma-separated-vpc-subnet-ids,SecurityGroupIds=comma-separated-security-group-ids \ --memory-size 1024
Note
The Lambda function execution role must have permissions to create, describe and delete ENIs. AWS Lambda provides a permissions policy, AWSLambdaVPCAccessExecutionRole, with permissions for the necessary EC2 actions (ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, and ec2:DeleteNetworkInterface) that you can use when creating a role. You can review the policy in the IAM console. Do not delete this role immediately after your Lambda function execution. There is a delay between the time your Lambda function executes and ENI deletion. If you do delete the role immediately after function execution, you are responsible for deleting the ENIs.
-
The
update-function-configurationCLI command specifies the--vpc-configparameter to add VPC information to an existing Lambda function configuration.$ aws lambda update-function-configuration \ --function-name ExampleFunction \ --vpc-config SubnetIds=comma-separated-vpc-subnet-ids,SecurityGroupIds=security-group-idsTo remove VPC-related information from your Lambda function configuration, use the
UpdateFunctionConfigurationAPI by providing an empty list of subnet IDs and security group IDs as shown in the following example CLI command.$ aws lambda update-function-configuration \ --function-name ExampleFunction \ --vpc-config SubnetIds=[],SecurityGroupIds=[]
Note the following additional considerations:
- When you add VPC configuration to a Lambda function, it can only access resources in that VPC. If a Lambda function needs to access both VPC resources and the public Internet, the VPC needs to have a Network Address Translation (NAT) instance inside the VPC.
- When a Lambda function is configured to run within a VPC, it incurs an additional ENI start-up penalty. This means address resolution may be delayed when trying to connect to network resources.
AWS Lambda uses the VPC information you provide to set up ENIs that allow your Lambda function to access VPC resources. Each ENI is assigned a private IP address from the IP address range within the Subnets you specify, but is not assigned any public IP addresses. Therefore, if your Lambda function requires Internet access (for example, to access AWS services that don't have VPC endpoints ), you can configure a NAT instance inside your VPC or you can use the Amazon VPC NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. You cannot use an Internet gateway attached to your VPC, since that requires the ENI to have public IP addresses.
Important
If your Lambda function needs Internet access, do not attach it to a public subnet or to a private subnet without Internet access. Instead, attach it only to private subnets with Internet access through a NAT instance or an Amazon VPC NAT gateway.
Your Lambda function automatically scales based on the number of events it processes. The following are general guidelines for setting up VPC-enabled Lambda functions to support the scaling behavior.
-
If your Lambda function accesses a VPC, you must make sure that your VPC has sufficient ENI capacity to support the scale requirements of your Lambda function. You can use the following formula to approximately determine the ENI requirements.
Projected peak concurrent executions * (Memory in GB / 3GB)Where:
- Projected peak concurrent execution – Use the information in Managing Concurrency to determine this value.
- Memory – The amount of memory you configured for your Lambda function.
-
The subnets you specify should have sufficient available IP addresses to match the number of ENIs.
We also recommend that you specify at least one subnet in each Availability Zone in your Lambda function configuration. By specifying subnets in each of the Availability Zones, your Lambda function can run in another Availability Zone if one goes down or runs out of IP addresses.
If your VPC does not have sufficient ENIs or subnet IPs, your Lambda function will not scale as requests increase, and you will see an increase in invocation errors (EC2ThrottledException). For asynchronous invocation, if you see an increase in errors without corresponding CloudWatch Logs, invoke the Lambda function synchronously in the console to get the error responses.