Login/Register
Is there a way to assign a Static IP to a AWS Lambda without VPC?
Asked Answered
Solved amazon-web-servicesaws-lambdaaws-api-gatewayamazon-vpccold-start
D

4

26

I am looking to assign a static IP to my Lambda which is being invoked via the API gateway. This is required because, the downstream system that i invoke from this lambda accepts web requests only from a Whitelisted IP.

I am successful in achieving this via the VPC that i associate with my lambda. But VPC introduces a bad cold-start time which sometime ranges 12-16seconds. So i am looking for a way to prevent this cold start from the VPC, but at the same time assign a static IP to the lambda.

Delius answered 19/6, 2019 at 21:40 Comment(2)
Cold start times in VPC should now be significantly reduced per aws.amazon.com/blogs/compute/…Regretful
It's really unfortunate that a VPC is required because it requires the addition of a NAT for outbound internet access and NATs are absurdly expensive for very low volume applications, such as testing environments.Sophiesophism
O
7

I agree with the answer by John for having static IP whitelisting part. However, it won't resolve your cold start problem because lambda,if ideal, actually takes a small time to start. So I would recommend you also create a Cloudwatch event to hit lambda periodically to resolve this or write a simple code(either in lambda or somewhere else) which sends an empty request periodically so that cold start problem is resolved. You can view the improvement in X-Ray. This is an overhead but one time process.

Oddson answered 20/6, 2019 at 6:39 Comment(3)
thanks. I was pretty sure that VPC would help me assign a static IP. But i would not ease the cold start time a bit. So, I did not wanted to go the route of VPC as i said in my question. A periodic request to the lambda is what i am going to try.Delius
You may want to accept the answer if it worky for you :-)Oddson
AWS has a done a lot of work to improve cold start times including provisioned concurrency since this answer was written.Regretful
R
34

You will need to:

  • Create a VPC with an Internet Gateway, a public subnet and a private subnet
  • Attach the AWS Lambda function to the private subnet
  • Launch a NAT Gateway in the public subnet and update the Route Table of the private subnet to use the NAT Gateway

The NAT Gateway will use an Elastic IP address (which is a static IP address). All traffic from the Lambda function to the Internet will come from this IP address, which can be used in the whitelist.

You might think that this is a bit of overkill for simply attaching a static IP address, but multiple Lambda function can run in parallel and they could run in multiple Availability Zones. Sending all traffic through the NAT Gateway is the only way to ensure they all have the same IP address. (Or, to be more specific, one IP address per AZ in which the NAT Gateway is launched.)

Roquefort answered 20/6, 2019 at 5:9 Comment(6)
How about the scenario where lambda calls on prem servers through DX? Does this step by step apply to this alternative scenario as well? Or should the whitelist be the subnet CIDR range?Chiang
@jbooker The above would not work for a Direct Connect connection, since the traffic won't go through the NAT Gateway (assuming that it is configured so that the private subnets connect to DX). I like your idea of whitelisting the CIDRs of the subnet(s) that Lambda uses.Roquefort
Thank you John! You are amazing! I keep seeing your answers all over the posts I’m after recently, you are on top of it!! I swear! Quality answers and comments from you, alwaysChiang
Once we have this setup, will it be possible to invoke our Lambda in the private subnet from another Lambda outside of this VPC? If so, we can use this single Lambda as a way to route our requests such that they get a static IP w/o putting all our logic in that Lambda/VPC.Mcgregor
@Mcgregor Yes, that would work. You can invoke the Lambda function from anywhere on the Internet.Roquefort
Perfect, thanks so much for the quick response!Mcgregor
R
12

You can't assign a public/static IP to any Lambda function.

Your only good option is to deploy into a VPC with an Internet Gateway and configure routing from the Lambda's subnet through a NAT which has an Elastic IP. Then your target host can whitelist the Elastic IP.

Also see:

Regretful answered 19/6, 2019 at 22:19 Comment(1)
Thanks for including my article!Venola
O
7

I agree with the answer by John for having static IP whitelisting part. However, it won't resolve your cold start problem because lambda,if ideal, actually takes a small time to start. So I would recommend you also create a Cloudwatch event to hit lambda periodically to resolve this or write a simple code(either in lambda or somewhere else) which sends an empty request periodically so that cold start problem is resolved. You can view the improvement in X-Ray. This is an overhead but one time process.

Oddson answered 20/6, 2019 at 6:39 Comment(3)
thanks. I was pretty sure that VPC would help me assign a static IP. But i would not ease the cold start time a bit. So, I did not wanted to go the route of VPC as i said in my question. A periodic request to the lambda is what i am going to try.Delius
You may want to accept the answer if it worky for you :-)Oddson
AWS has a done a lot of work to improve cold start times including provisioned concurrency since this answer was written.Regretful
F
0

To eliminate cold starts, you can use a service like https://lambdawarmer.com to keep a desired number of lambda instances always warm.

It basically uses a bunch of servers to periodically and exactly concurrently hit an endpoint on your lambda to keep a certain number of lambdas always warm.

Floris answered 30/6, 2022 at 21:32 Comment(1)
Not recommended for production/ spikey workloads. Consider using provisioned concurrency instead, however there is additional cost associated with this approach.Pedaiah

© 2022 - 2024 — McMap. All rights reserved.