I have a lambda function in AWS inside a VPC. I want to attach http handler (function URL).
The problem is, if I enable the function URL then it creates a public endpoint.
Alternatives I don't want to use
enable AWS_IAM security (then the caller will need to use AWS SKD and get token and all)
API gateway trigger (I am already using API gateway as proxy to kubernetes Ingress, I don't want to diverge that)
ALB (I am already using k8s ingress, which creates ALB, so I want the proxy to be created manually by code, not using lambda configuration)
Is there a way we can create AWS Lambda function URL but it should be accessible only within VPC without involving AWS SKD? (like wget URL)
In our org, we ended up going with an internal-only ALB and we enabled MultiValueQueryStringParameters to pass data into the Lambda function and to execute it. This is the only way I could find to provide an internal-only URL that I could further protect with a security group. I couldn't figure out how to make Lambda URLs internal-only.
I looked into this for a similar use-case, eventually I went with a direct lambda Invoke from the SDK, using the RequestResponse InvocationType to obtain the response payload. This suited my needs, but it might not suit your case.
InvokeResponse response = await lambdaClient.InvokeAsync(new InvokeRequest() {
FunctionName = "LambdaFunctionName",
InvocationType = InvocationType.RequestResponse,
Payload=data
});
Related
So I have a lambda function that triggers an amazon ec2 instance and thanks to the api gateway I was able to create a URL for the lambda function.
How it works is that you enter the URL and the URL activates the lambda function and starts the amazon ec2 instance.
Now what I want to do is to have a "password", (or a secret), that is used to activate the lambda function and THEN start the ec2 instance. I have researched many possible solutions for this but I could not come across any.
You can pass parameters in the URL, which can be read by the API Gateway function.
You can then add logic to the function to verify the 'password' before starting the Amazon EC2 instance. This could be as simple as verifying that a specific password was provided, or it could perform more complex activities such as checking a database and decrypting an encoded password. It is up to you to write that code.
For an example, see: Pass API Gateway REST API parameters to a Lambda function or HTTP endpoint
I have a PUT API that can be accessed within the VPN. I have to invoke that API with a scheduler function. I found Event Bridge is a useful serverless resource that we can use to trigger the endpoint.
I created a connection and when I create the API Destination, The AWS Console shows the following error.
Failed to create the API Destinations. ParameterInvocationEndpoint is not valid. Reason: Endpoint 'https://test.net/events/test' is invalid. please provide a valid HTTPS endpoint URL
My PUT API is working, I confirmed with the postman.
Can anyone assist me to identify the issue to create the API Destination?
EventBridge doesn't run inside your VPC. It doesn't have access to your private VPC resources. The solution is to have EventBridge trigger the invocation of an AWS Lambda function that is configured to run inside your VPC, and then make your API call via the Lambda function.
I have a vue.js/aws-nodejs/mongodb-atlas website.
To lock things down better, I'm switching the mongodb-atlas database to VPC peering with lambda. That works just fine. But the other aws services now are giving me problems. They tend to just hang and never return.
I understand that I should use vpc endpoints specific to the aws services to make them work, but they are not consistently working or do not exist. Here's what I have:
lambda -> aws secret manager using secretmanager endpoint: works fine
lambda -> invoking other lamdas using lambda endpoint: works fine
lambda -> s3 does not work with interface endpoint, but does work with gateway endpoint.
lambda -> aws ses using smtp-email endpoint: hangs
lambda -> aws cognito admin functions (such as adminCreateUser), cannot find a cognito endpoint type: hangs
I have created a separate, non-vpc lambda that calls the SES api. My vpc lambda invokes this non-vpc lambda with parameters to send email.
This does work, but seems kludgey. My old non-vpc code worked fine. Before calling ses or doing anything dangerous, I checked custom permissions in my database. But this new non-vpc lambda does not have access to the database and therefore is missing this check close to the api call. This non-vpc lambda feels like potential weapon of mass destruction.
Apparently, I could use a NAT gateway. But a NAT gateway is expensive, especially if I want redundancy. And using the public internet defeats the purpose of using a vpc in the first place.
Why is the smtp-email endpoint not working while secretmanager and lambda endpoints do work?
How can I call cognito admin functions from a vpc-based lambda if there is no cognito endpoint type?
If there is no available endpoint type for a specific aws service (such as cognito), does that mean a NAT gateway is required?
Are lambda functions without an apig interface safe from being invoked by hackers over the internet?
Is using a non-vpc lambda to access aws services from a vpc lambda actually a good idea?
Should I just use a NAT gateway?
I am using Strong loop in AWS Lambda and i want to trigger it somehow. The only available option right now is APi Gateway. Is there a way to create one resource and pass all its requests to single lambda function?
I want to achieve something like this
/api/* --> Lambda Function
Does AWS support this?
This is supported by API gateway proxy resource. You can create a special path parameter {proxy+} which represents any child resource of a parent API. The ANY method can be used to catch all http methods on that resource.
In your case, you need to create an api resource /api and under that, create a new proxy resource {proxy+}. If you are creating it through the AWS console, you just have to check the check box for the option Configure as proxy resource while creating the resource. When you get to the integration setup, select Lambda Function Proxy as your integration type, choose the region and select the lambda function you want to invoke.
This is described in detail in the API gateway docs here.
I am very new to the API Gateway and AWS Lambda and I am trying to use them in a scenario with the following elements:
a VPC with a private and a public subnet
an AMI EC2 (Free Tier) with Lamp Installed
A simple index.html page with some text (something saying "This is a test page")
What I would like to do is to be able to punch http://myprivateIp/myexample/index.hml through the use of the API gateway and Lambda as it seems to be suggested in the AWS documentation. I have, then, re-used the basic Hello World lambda example (one of the AWS blueprints) for my first lambda function and included the VPC details (with the private subnet too) as requested in the wizard. I have also created a sample API with one resource (myexample, in this case) and the Get method with the Lambda Function Integration Type and the Hello World function. As per the documentation, I have created the correct permissions (http://docs.aws.amazon.com/apigateway/latest/developerguide/create-lambda-roles.html). I have tested the GET method from my API and it correctly returns the response "Hello World" as per the AWS pre-existing blueprint. I know this might sound like a very naive question, but I am not sure whether I have really proven that I can hit my VPC? I would like to be able to return the sample text from my index.html page, for example, Is that possible? Have I misunderstood the purpose of AWS lambda in this particular scenario?
Thank you for your help,
EDIT:
So, I have put together the following in Node JS 4.3:
'use strict';
console.log('We are about to send a Get Request');
exports.handler = function(event, context, callback) {
var http = require("http")
var request = http.get("http://domain/example/index.html")
console.log('"This is my request":"' + request + '"');
callback(null, "The URL is succesfully retrieved")
};
The test runs successfully, am I right in saying that it does prove that I can hit a page running on a VPC?
You are correct - you can make an HTTP request to an endpoint in your VPC via a Lambda function as long as your Lambda function is configured to run inside the same VPC.
Thus, you can use API Gateway to call Lambda and proxy a response back from an HTTP endpoint within a VPC.
API Gateway cannot call HTTP endpoints in a VPC directly, so your current approach using Lambda is the recommended one.
You can connect your EC2 with private IP within your Lambda function. That means you can hit your VPC from your Lambda function.