I understand that lambda attaches itself to an ENI when it is woken up from it's cold state. How do I get a handle on the ENI ( or all the ENIs) attached to the lambda using boto3?
The ENI created by lambda when you put it in a VPC is an AWS lambda-managed ENI.
There is no a single API call to get the ENI associated with a particular lambda function (to my knowledge at least).
Thus you would have to do it yourself. For example using describe_network_interfaces call to get the list of all ENI in a given vpc, and then filter out non-lambda ones.
For the filtering, a description of ENI could be useful. I checked now and the ENI which lambda service creates has the description in the form of:
AWS Lambda VPC <function name>
and the owner is amazon-aws.
I'm not certain if the ENI description is absolutely fixed and unique, but this seems as a good start.
To have Lambda delete the network interface, do the following:
For each unpublished Lambda function (the $LATEST version) that Lambda ENI Finder listed, change the Amazon VPC configuration to use a different subnet and security group. Or, you can disconnect the function from the Amazon VPC entirely.
For each published Lambda function version listed, delete the function version. Published versions can't be edited, so the VPC configuration can't be changed.
Run Lambda ENI Finder again to verify that the network interface is no longer in use. If no other functions or function versions are listed in the output, Lambda deletes the network interface for you within 24 hours.
For more information, you can check the below AWS Link
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-eni-find-delete/
I hope this helps you.
Related
We've shared AWS accounts among multiple teams and even though we ask not to create identical VPCs, there is always a case.
So my question is, how can we achieve this via policies (or if there is another way), that we define the set of CIDRs in AWS account policy so that when somebody creates a VPC with a CIDR that belongs to one of those, it throws an error?
Thank you.
when somebody creates a VPC with a CIDR that belongs to one of those, it throws an error?
No there is no such IAM policies. You have to develop your own custom solution for that. For example, trigger a lambda function based on CloudTrial events for creating VPC, and have the lambda function verify the CIDRs.
Our AWS CodePipeline recently started failing at one of our steps with this error - You have exceeded the maximum limit for Lambda HyperPlane ENIs for your VPC. Contact AWS support to increase the VPC limit for Lambda HyperPlane ENIs. We do use a lambda for our load-testing. From this article I found, it seems lambdas run in their own VPC and need an ENI or a HENI (i.e. HyperPlane ENI) to connect to our VPC.
There is a soft limit of 250 HENIs total for the entire VPC in AWS.
How can I fix this issue? There is no mention of ENIs in our IaC code, so maybe they are automatically created for a lambda function? Is there a resource leak?
Although you do not explicitly create an ENI for lambda it is still created to allow your lambda to use the network.
Check this blog post about it: https://aws.plainenglish.io/dealing-with-you-have-exceeded-the-maximum-limit-for-hyperplane-enis-for-your-account-223147e7ab64
I want to connect AWS EFS to my AWS Lambda function, without connecting the Lambda function to VPC. Is it possible to do this?
This is simply No. It's impossible.
EFS file systems are always created within a customer VPC, so Lambda functions using the EFS file system must all reside in the same VPC.
Like stated here (https://aws.amazon.com/blogs/compute/using-amazon-efs-for-aws-lambda-in-your-serverless-applications)
Lambda should be placed within same VPC where EFS is created.
There might be different reasons you didn't like to place your Lambda function in VPC:
Very slow initialization (Creating ENI, Attaching Lambda to it.. This takes long time significantly)
Additional configuration to place in VPC etc..
One solution is to use provisioned concurrency feature of Lambda (It comes with more costing)
In this way, you can get multiple Lambda functions ready to use any time by keeping it warm.
Cheers
I have a utility in Lambda which does automatic DNS registration via an intelligent automated process. Instances that are created with a Name tag including XXXXXX and a autodns tag set to true will have Route 53 records created and deleted when these instances are created and deleted.
Previously, I had been using an autoscaling event listener on targeted autoscaling groups, but this has the unfortunate side-effect of not catching events when autoscaling groups are initially created, as the ASG needs to be created before the subscription can be, so I'm missing instances. A workaround that I've used is to just schedule the Lambda execution every minute and have it search and apply actions, but this is severely limiting.
Is there a way for me to listen to EC2 to receive instance creation and deletion events for all EC2 instances? I have been digging around in CloudWatch and haven't found anything useful.
Yes, you can use Amazon CloudWatch Events to trigger an AWS Lambda function when an Amazon EC2 instance changes state.
I know lambda will create ENI (which in turn will create a longer cold start) if it wants to access resources in VPC. However, I wish to know when does the lambda function create ENI?
Is it on the container's initialization? (which the developer has no control of)
or is it when we start a connection (running db.Connect() or something like it) with other resources e.g. RDS
ENI create every cold start.
https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
When a Lambda function is configured to run within a VPC, it incurs an additional ENI start-up penalty. This means address resolution may be delayed when trying to connect to network resources.