What is Serverless Computing? It is a Cloud Computing concept where the Server backend can run Programming platforms as a service and pay as you go. In the new software development era, Serverless computing takes out most of our operational effort. When we talk about Cloud Computing, AWS is one of the leaders in the domain and offers Serverless Computing Service called AWS Lambda. Though the AWS Lambda can run the program, it has a couple of limitations in terms of Network capabilities if we are not configuring it. In this article, we will address one of the Network Challenges with AWS lambda and discuss How to Assign a Static IP to the AWS Lambda Function.
Table of Contents
Networking Challenge in AWS Lambda
AWS Lambda function is a Computing platform, but it is not as same as AWS EC2. You cannot get the same IP address every time your function is getting executed. So, accessing firewall-protected resources from the AWS Lambda function is very difficult as we can access the firewall-protected resources only by whitelisting the IP address of the AWS Lambda function.
Resolution
To overcome this Network Challenge in AWS Lambda, we have a way to configure the AWS Lambda to assign a Static IP address. Then Static IP of the AWS Lambda Function can be Whitelisted in firewall-protected resources. So, we are going to create a VPC, Two sets of subnets for Public and Private, Internet Gateway, NAT Gateway with an Elastic IP, Two sets of Route table for Public and Private, and finally a Security Group. Let’s see in the step by step process. As shown in the below image.
Procedures:
New let’s see the above discussed steps in detail here.
STEP 1: Create a new VPC or use your existing VPC
As a first step, we are going to create a VPC. To do so, go to AWS Console -> type VPC in the Services -> Click Your VPC from side panel-> Click Create VPC Button -> Give VPC a name (here: Lambda_vpc) -> Give IPv4 CIDR block (Here: 172.16.0.0/16) -> Then Click Create VPC button at the bottom.
Once after creating a VPC, we can see an entry like shown in the below picture.
NOTE: You can also use your existing VPC.
STEP 2: Create Two Subnets: Public and Private
Now go to AWS Console -> type VPC in the Services -> then click Subnet from the Left panel -> Then click Create Subnet button at the top right -> Then, select the VPC created above -> then, in the revealed section name subnet (here: lambda_public) -> the select the Availability Zone -> enter IPv4 CIDR block (here: 172.16.1.0/24) -> Then Press Create Subnet at the bottom of the page. This is going to be our Public Subnet.
Repeat the above process and give a different subnet name (lambda_private) and different IPv4 CIDR block (172.16.2.0/24). This is going to be our Private subnet.
Once this creations, you will find two entries in the subnets as mentioned in the below picture.
STEP 3: Create an Internet Gateway
Now, go to AWS Console -> type VPC in the service -> then click Internet Gateway from the left panel -> then click Create Internet Gateway Button -> Name the Internet Gateway (lambda_internet_gateway) -> Click Create Internet Gateway Button -> In the Next page, click Action drop-down Button -> Then select Attach to VPC -> In the next page, select the VPC created above -> Then, Click Attach Internet Gateway button at the bottom.
The Created Internet Gateway entry will look like the below Image
STEP 4: Create a NAT Gateway
Go to AWS Console -> type VPC in the service -> then click NAT Gateway from the left panel -> then click Create NAT Gateway Button -> Name the NAT Gateway (lambda_nat_gateway) -> Select Public Subnet (lambda_public) we created earlier -> Select unused Elastic IP allocation ID or Click Allot Elastic IP Button and get it assigned. -> Click Create NAT Gateway Button.
The created NAT Gateway will look like the below image.
STEP 5: Create Two set for Route Table: Public and Private
Go to AWS Console -> type VPC in the service -> then click Route Table from the left panel -> then click Create Route Table Button -> Name the Route Table (lambda_public) -> Select he VPC created in STEP 1 -> Then Click Create Route Table Button.
Now, create another Route Table by following the Above step and name it (here: lambda_private) and select the VPC Created at STEP 1.
This will create Two Entries in the Route Table List As mentioned in the below image.
Now Select Public Route Table (lambda_private) Created above and that will reveal the summary section at the bottom of the page. From the summary Section Select Routes Tab -> Click Edit Routes Button -> In the Next page, Click Add route button -> Add destination address as IPv4 Block of Private Subnet created above (172.16.2.0/24) -> Then Target as Local -> Click Add route button again -> Add destination as (0.0.0.0/0) -> Then Select the NAT Gateway created above as Target -> Then click Save Route Button. This will look like the below image.
So, Now select Private Route Table (lambda_public) and repeat the above step with two routes. One is with destination address as IPv4 Block of Public Subnet created above (172.16.1.0/24) and another is with the destination as (0.0.0.0/0) and target as Internet Gateway created above (igw-2f64924cb412b53f1). This will look like the below image.
STEP 6: Create Security Group
Now, we will create a Security Group. For the same, go to AWS Console -> Select EC2 Service -> Click Security Group from the Left panel -> Click Create Security Group -> Name the Security Group (here: lambda_security_group) -> Select the VPC Created Above -> Leave the Inbound rules empty -> Open Outbound rules for All Traffic, All Protocol, All Ports, and destination as Anywhere -> Then click create button. The Security Group Created below will look like the image below.
STEP 7: Assign the Configured settings to AWS Lambda Function
Finally, Assign the Configured setting to the AWS Lambda Function. To do so, Select the AWS Lambda function you want to be whitelisted. From the Configuration Tab, Scroll down to the VPC Section -> Press Edit Button -> In the next page, select the VPC we created in STEP 1 -> Select the Private Subnet we created above (lambda_private) -> Select the Security Group (lambda_security_group) we created in above step -> Then Press save button. This will take a while to update and it will look like the below image.
Since the Private Subnet is connected to the NAT Gateway and it is connected to the Elastic IP, all the requests happening between AWS Lambda Function and the firewall-protected resource will use the Elastic IP. So, we can whitelist the Elastic IP (which is Static IP) in the Firewall protected resource. This is how we can Assign a Static IP to the AWS Lambda Function.
Conclusion
In this article, we have discussed How to Assign a Static IP to the AWS Lambda Function. This is not the only way of making the AWS lambda Function to expose to the public internet under VPC. AWS API Gateway, S3 static page monitoring are a few examples of exposing AWS Lambda to the Public Internet. We will discuss the same in our upcoming article. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps, and App Development.
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.
Very useful, it helped me a lot, thanks!
It is only missing one extra step in Step 5:
The configuration in Subnet Associations tab for both routes which redirects all traffic of the subnets to the gateways.
Without these my Lambda was not able to access the internet.
I have found those in this other article: https://blog.theodo.com/2020/01/internet-access-to-lambda-in-vpc/
Great article, what is a good way to test / confirm the outbound IP address is the same? Would you hit a server you’re running and log the IP?
You could test with an external service. That’s what I did
This article was very helpful. I thought I would never figure out how to give my lambda function a static IP address. I believe there is an error, however, in your instructions in Step 5:
I believe the text “Now Select Public Route Table (lambda_private) Created above” should be “Now Select Private Route Table (lambda_private) Created above
And the text “So, Now select Private Route Table (lambda_public) and repeat the above step with two routes.” should be “So, Now select Public Route Table (lambda_public) and repeat the above step with two routes.