I have configured public API Gateway and AWS Lambda (AWS Lambda is not in a VPC) which are integrated. I can call API Gateway and it redirects the requests to AWS Lambda and it works fine.
Recently I spotted that in cloud formation in outputs sections for the lambda stack is available key ApiURL with URL like this https://[magic-number].execute-api.[region].amazonaws.com/Prod/.
I pasted this link to a web browser and I was surprised that I got response "Welcome to running ASP.NET Core on AWS Lambda".
Does it mean that my lambda can be called directly from Internet? My intention was to hide the lambda and use API GW with authorization using AWS Cognito.
How I can make the lambda private and make sure that it will be accessible only from public API GW? Do I have to deploy this lambda to private subnet in a VPC or it does not have to be a VPC?
You can solve this problem by following next steps:
Auth type choose AWS_IAM.Now your Lambda is not available via it's URL, but API Gateway can access it: Using the AWS_IAM auth type.
Or just:
Now any internet access is removed and only way to access the lambda function is via API Gateway!
If you want to explore more, please take a look at VPC, also can give your the results: Internet and service access for VPC-connected functions
Now lambda is hidden and you can configure AWS Cognito to use with API Gateway.