AWS: Connecting Public Subnet's Lambda to Private Subnet's Lambda
I would like to check how to let AWS public subnet's lambda to get the information from the private subnet's lambda.
AWS Diagram to be achieved:
I got some regulatory restriction that i am unable to let the lambda be using the lambda managed vpc,as many solution I check does not have the similar case as mine.
I used the VPC, "Create VPC" on the console, to create my VPC.
The following is the VPC setting:
- VPC IPv4 Address: 10.0.0.0/16
- 2 Subnets (1 public and 1 private) for each availability zone
- 2 Availability zone used (Zone A and B)
- the subnets address as follows:
- Zone A Public Subnet IPv4 Address: 10.0.0.0/20
- Zone A Private Subnet IPv4 Address: 10.0.128.0/20
- Zone B Public Subnet IPv4 Address: 10.0.16.0/20
- Zone B Private Subnet IPv4 Address: 10.0.144.0/20
The Lambda code is in NodeJs v20x. The client-lambda code is working fine if I use VPC endpoint, but due to my customer has budget limits, I removed the VPC endpoint, and the InvokeCommand is not working anymore.
The private subnet lambda and some portion of the public subnet's lambda function codes has been removed as those are my processing of the data portion.
The code for the public subnet's lambda (lambdaInPublic) as follow:
import { LambdaClient, InvokeCommand, LogType } from "@aws-sdk/client-lambda";
export const handler = async (event) => {
const client = new LambdaClient({});
const command = new InvokeCommand({
FunctionName: "lambdaInPrivate",
InvocationType: "RequestResponse",
Payload: JSON.stringify({ qrCode: params.qrCode }),
LogType: LogType.Tail,
});
var { Payload, LogResult } = await client.send(command);
var decodedPayload = Buffer.from(Payload).toString();
const response = {
statusCode: 200,
headers:{
'Content-Type': 'text/html',
},
body: decodedPayload,
};
return response;
};
The code for the private subnet's lambda (lambdaInPrivate) as follow:
export const handler = async (event) => {
return "Hi I am from Private Lambda";
};
Please advices on how to get the information from private subnet's lambda back to public subnet's lambda when triggered without using VPC endpoint.
And please advice is whether my invokecommand is valid for my case, and share any appropriate code that I can achieved the "get the information from private subnet's lambda back to public subnet's lambda when triggered withput using VPC endpoint."
Thanks alot
Nothing that you do here can change the fact that your Lambda functions are connected to an AWS-managed service VPC. Both of them. If that's a blocker for you then you need to dig deeper into this compliance requirement. You can explain the Lambda isolation model to your compliance team, for example.
That aside, your proposed architecture won't work because the 'public' Lambda function cannot reach the AWS Lambda service endpoint and hence it cannot make any Lambda API requests (so it cannot Invoke the 'private' Lambda function). You might think the fact that the Lambda function being connected to public subnet gives it the ability to route traffic to public endpoints via the Internet Gateway, but it does not.
Lambda functions cannot communicate directly with each other. For one to invoke the other, it must make an API request to the AWS Lambda service. Alternatively, it could make an API request to API Gateway which could then trigger the Lambda function (again via the AWS Lambda service).
Regardless of where your 'private' Lambda function is, the invoking 'public' Lambda function needs a network route to the AWS Lambda service endpoint in order to be able to make Lambda API calls. You can supply that route via a VPC Endpoint or via NAT and Internet Gateway.
Also. there's no point in placing your 'public' Lambda function in a public subnet. This doesn't change the fact that the Lambda function continues to be connected to an AWS-managed service VPC. It simply reduces the network route options of the 'public' Lambda function.
By the way, it's generally not a good idea for one Lambda function to synchronously invoke another Lambda function, because you are then paying for both at the same time, while the invoker is basically doing nothing other than waiting for the response from the invokee.
So, two options for resolving this problem are:
add a VPC Endpoint into the VPC so that your Lambda functions can make API requests to the AWS Lambda service. This will allow your 'public' Lambda function to invoke the 'private' Lambda function.
add a NAT Gateway to your VPC and connect the 'public' Lambda function to the private subnet (otherwise it cannot invoke the 'private' Lambda function). Also ensure a default route from the private subnet to the NAT.
Either of those options will work, but I personally would not do either of them. Ideally, you need to revisit your requirements here and change the design.
- I want to install the "n" package and I get an error
- n <version> command does not activate specified version
- Change n install location
- How to install a specific version of Node on Ubuntu/Debian?
- Different node version for different projects, is there a way of telling node which version to use?
- Install Node.js to install n to install Node.js?
- How to select the latest node.js v6 version using n?
- n-install: ERROR: GNU Make not found, which is required for operation
- How to downgrade Node version with n
- how switch to previous version in n (Node version manager)?
- Automatically use the right version of Node for a package
- internal/modules/cjs/loader.js:905 -> throw err;
- Why doesn't "n" downgrade my node version on a Mac?
- Node version manager
- n failed to install/switch node in Linux?
- vue command not found on Mac
- How to uninstall n and all node versions installed by n
- Angular CLI on HTTPS - can't install CI as root
- n (node version manager): cannot create directory
- npm module n emits errors
- How to update npm permanently?
- Cannot change nodejs version using n
- upgrade nodejs to stable version
- How should I install and use multiple versions of Node on the same production machine?