Note: I am NOT asking why a Lambda in a subnet cannot access the public internet.
I would like to host a Lambda function, with the Function URL enabled, in a public subnet and expose it via CloudFront. This is so that the function can be called from the broader internet but also access private resources.
Is this possible?
I have tried creating a very simple Lambda (the default generated by the serverless.AspNetCoreMinimalAPI template) and uploading to a simple function with Function URL enabled. With just that, I can call the Lambda from (eg) Postman.
The moment I attach it to the public subnet of my VPC I get 502 Bad gateway even with an Internet Gateway attached to the VPC.
Yes, it is possible. You need to add a NAT Gateway to your VPC and attach it to your public subnet. Then you need to add a route to your route table to route all traffic to the NAT Gateway. You can find more information here: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html