Is it possible to make some kind of HTTP request that will trigger Lambda and allow it to build a response for the request?
Is it possible for Lambda to access CloudFront cache directly or somehow get the data it needs. I guess it can be done making HTTP requests to CloudFront, but maybe there is more direct way to do that, no?
Or all this stuff I'm asking here is a peace of **** and I better go and buy a new server or optimize my code (actually, i would like to, but manager wants CloudFront + Lambda, so I'm trying to figure out if that is possible, but the docs don't give me an answer. Am I blind maybe?)
You can expose your lambda function via an API gateway. Then your lambda function can just run code that will access other services/resources (CloundFront, SNS, SQS, etc). Use the AWS SDK to access these services.
See Amazon API Gateway documentation: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
Related
I would like to use you AWS API Gateway as a single entry point to my backend which will proxy (redirect) request to different microservices based on URL prefix. However before to do proxy it would be nice to have lambda which may check requests and make a decision if allowed to make proxy or it's better to make a response imidiatly, so, in another word, I would like to have AWS lambda as middleware. Is it possible to do?
Short answer
Yes, but don't do it. There are other solutions.
Explanation why you shouldn't do it
You can use a lambda in between your containers and API gw but using a lambda as a 'middleware' is an antipattern, you will have to pay double by making your lambda wait on your microservices response.
Other solutions
If you want to handle authentication or check headers and cookies you should use a lambda authorizer.
For your use-case you can make use of an application loadbalancer. That can do path redirects to different target groups.
https://aws.amazon.com/premiumsupport/knowledge-center/elb-achieve-path-based-routing-alb/
It might make sense in having a library that is shared by the different microservices that does the early response or request checking.
Not sure what is your real goal and use case but if you elaborate more on what you'd like to achieve, I might can help.
IMHO this would be the job of API Gateway - based on different URIs & HTTP Methods you may forward the request to different lambdas. You can also check /validate your request params/body and/or add Authorizers (including a Lambda).
It would be interesting to know more about the use case and if the API GAteway would be suitable for it
We are exposing a AWS Api Gateway which needs to act as proxy and push body as message to AWS SQS. Our API gateway body can be array of object which we need to parse and send each object to SQS as separate message. Is there any way to achieve this without using Lambda ?
To answer your question, for something as simple as parsing a message and posting to SQS, I don't believe you need Lambda, no. Lambdas are designed for serverless-architecture. That is, when you don't have a server and you still want to run code. In this case, you do have a server behind your API Gateway, so you don't need Lambda (unless you want fancy branching error handling). You can use your API Gateway directly, yep. Here's a code review I found:
https://dzone.com/articles/creating-aws-service-proxy-for-amazon-sqs
I am someone who is totally new to REST APIs, pardon the newbie-ish mistakes.
My requirement is:
The source Database people wants to send JSON data on an hourly basis to an API endpoint which I publish. I am not sure of what all do I need to build to make sure it happens seamlessly. My target is to receive the data and create CSV files and save in it AWS S3 for further downstream processing.
My plan is, creating an AWS API Gateway endpoint which will accept POST requests and whenever anyone sends data through POST, the API Gateway will trigger AWS Lambda Function which will run Python to parse the JSON data to CSV and store in AWS S3. Is this thought valid? What all am I missing out? Are there best practices which needs to be implemented?
This architecture seems to be what you wanna do.
You wanna make sure that your API is secured with a key or via Cognito (more complex) and that your Lambda have the IAM permissions needed in order to access your bucket.
This post will help you understand the Lambda blueprint that is triggered when an object is upload to s3. Just change the Lambda trigger and a little bit the Python code and you're done.
Yes,this is a simple, typical serverless stack and it works perfectly fine.
Additionally, you may also focus on the authentication on the API Gateway end point to make it secure.
I'm considering about moving my service from a VPS to AWS Lambda + DynamoDB to use it as a FaaS, because it's basically 2 API GET calls that fetch info from the database and serve it, and the normal use of those API calls are really rare (about 50 times a week)
But it makes me wonder... As I can't setup a limit on how many calls I want to serve each month, some attacker could theoretically flood my service by calling it a couple thousands times a day and make my AWS bill extremely expensive. Setting up a limit per month wouldn't be a nice idea either, because the attacker could flood the first day and I won't have more requests to serve. The ideal thing would be to set up a limit on request rate per client.
Anyone knows how could I protect it? I've seen that AWS also offers a Firewall, but that's for CloudFront. Isn't there any way to make it work with Lambda directly?
You can put AWS CloudFront in front API Gateway and Lambda so that, the traffic will be served to outside through CloudFront.
In addition by configuring AWS WAF with rate base blocking, it is possible to block high frequencies of access by attackers.
However when configuring AWS CloudFront in front of API Gateway and Lambda, you also need to restrict direct access to API Gateway (Since API Gateway will be publicly accessible by default). This can be achieved in following ways.
Enable API Keys for API Gateway and use the API Key in AWS CloudFront Headers in the Origin.
Use a Token Header and Verify it using a Custom Authorizer Lambda function.
Two options spring to mind:
place API Gateway in front of Lambda so that API requests
have to be authenticated. API Gateway also has built-in throttles and other useful features.
invoke the Lambda directly, which will require the client
invoking the Lambda to have the relevant IAM credentials.
This is bit tricky situation I got into here,
I set up a lambda function & API gateway, then I setup cloudfront over API gateway for faster processing and achieving benefit of all the endpoint nodes provided by AWS [It should take more time using cloudfront on top of API gateway service but I am getting better result with cloudfront layer on top of it, maybe DNS resolution and AWS internal infrastructure is better]
I setup a JAVA function inside lambda which is working perfectly fine, but I want to use Context of request maker in lambda function
public String handleRequest(UserPOJO input, Context context) {
}
If I make direct lambda function request I can achieve that but it's taking too much time executing direct lambda from my Android client, also I don't find it good to expose those details, and with cloudfront I am not sure what headers should I send so that lambda detects it's cognito role and ID using context.getIdentity().getIdentityId(); in lambda.
If someone understands my problem here and elaborate it better for other I will be glad, it is very complex to explain the problem.
Technically
I can make execution of lambda function directly with cognito credential provider authentication but Very slow
Can make API gateway request which cognito credential provider authentication, speed is better than direct lambda execution
Can make cloudfront request but stuck where I don't know how can I use cognito credential provider authorisation while making the request. Seemed faster than API gateway.
Thanks. :)
If you want to get Cognito related information in Lambda function and you are proxying your request from API Gateway, You can use the mapping template to include information you need, then you can get it from the input object.
I can make execution of lambda function directly with cognito credential provider authentication but Very slow.
I recommend you to build your Lambda function in python or javascript runtime.
Can make API gateway request which cognito credential provider authentication, speed is better than direct lambda execution
API Gateway cannot improve the performance of your Lambda function, but API Gateway can provide API management feature for your Lambda function.
Can make cloudfront request but stuck where I don't know how can I use cognito credential provider authorisation while making the request. Seemed faster than API gateway.
CloudFront doesn't have do anything with your Cognito credential. It just passes everything it gets to API Gateway.
I am not sure how adding a CloudFront distribution in front of API Gateway can make the latency better except you enable the edge side cache which is not calling your Lambda function every time.