11

I have a lambda function in AWS inside a VPC. I want to attach http handler (function URL).

The problem is, if I enable the function URL then it creates a public endpoint.

Alternatives I don't want to use

  • enable AWS_IAM security (then the caller will need to use AWS SKD and get token and all)
  • API gateway trigger (I am already using API gateway as proxy to kubernetes Ingress, I don't want to diverge that)
  • ALB (I am already using k8s ingress, which creates ALB, so I want the proxy to be created manually by code, not using lambda configuration)

Is there a way we can create AWS Lambda function URL but it should be accessible only within VPC without involving AWS SKD? (like wget URL)

Improve this question
1
  • 1
    Nope, you'd need to do any authentication in the Lambda function yourself if you want something beyond AWS_IAM security or public access. Commented May 4, 2022 at 11:52

3 Answers 3

Reset to default
5

It's a bit late, but nonetheless, the Function URL is always public, and there is no way to make it private as the documentation states (at least at the time of posting this):

You can access your function URL through the public Internet only. While Lambda functions do support AWS PrivateLink, function URLs do not.

You can find more information here https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html.

There is another way to invoke the Lambda function privately from a VPC, using VPC Lattice, but this is meant for architectures where you have several services and not an ad-hoc Lambda. However, nothing prevents you from using it for just one Lambda.

Hope it helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

I looked into this for a similar use-case, eventually I went with a direct lambda Invoke from the SDK, using the RequestResponse InvocationType to obtain the response payload. This suited my needs, but it might not suit your case.

InvokeResponse response = await lambdaClient.InvokeAsync(new InvokeRequest() {
    FunctionName = "LambdaFunctionName",
    InvocationType = InvocationType.RequestResponse,
    Payload=data
});
Improve this answer

Comments

3

In our org, we ended up going with an internal-only ALB and we enabled MultiValueQueryStringParameters to pass data into the Lambda function and to execute it. This is the only way I could find to provide an internal-only URL that I could further protect with a security group. I couldn't figure out how to make Lambda URLs internal-only.

Improve this answer

1 Comment

api gateway can be private and that dns be used inside vpc only

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.