Source Selection for multiple ENI Lambda

2
votes

An AWS Lambda can be network-attached to multiple subnets of a VPC. For each attached subnet (and security group) the Lambda will have (at least) one ENI.

When a Lambda, which has more than one subnet/ENI attachment, initiates traffic to a destination in the same VPC, what rules determine which subnet/ENI is chosen for the initiated traffic?

AWS could perhaps choose a subnet randomly from the attached subnets/ENI's. If so, it would work fine because of the "local" default route for a VPC doesn't care about the originating subnet. But is it random?

Recently AWS has overhauled Lambda subnet/ENI attachments to become more efficient...so that a minimum of ENI's are created and re-used, rather than a new ENI per Lambda execution. But this doesn't change the question. Fundamentally any Lambda that is attached to multiple subnets will require that (one ENI in) one of the attached subnets is chosen for intra-VPC traffic generated by the lambda.

What are the rules for the how that subnet is chosen?

1
amazon-web-servicesaws-lambdaamazon-vpcsubnetnetwork-interface
All of the subnets to which a Lambda function is attached should be configured identically (except for the AZ) so it isn't clear to me why the ENI selection for any given invocation would be of interest to you, not to mention the fact that multiple concurrent Lambda invocations often shared the same ENI even under the old network model -- this is definitely true when they are configured with a 1.5 GB memory allocation or less, and may be true in cases when the memory allocation is more, particularly with the recent enhancememt. Can you elaborate on why you need to know? - Michael - sqlbot

1 Answers

0
votes

Presumably the sensible option for AWS is to choose the ENI that is within the same subnet as the destination endpoint that the function will interact with. This will avoid the overhead of routing no matter how minimal that overhead will be. If the lambda function is not attached to the same subnet as the destination endpoint, then the subnet selection is likely random or some undocumented method. I imagine running a few experiments will give you the answer.