AWS call Lambda inside VPC to another Lambda in another VPC

0
votes

it is possible to call a lambda function that lives within a VPC from another lambda in another VPC.

I'm trying to do it with an AWS VPC Endpoint but I can't do it. It marks error 403. I am following these steps: https://aws.amazon.com/es/blogs/compute/introducing-amazon-api-gateway-private-endpoints/.

And https://cedrus.digital/aws-privatelink-with-api-gateway-and-lambda-functions/

I am not sure, if the VPC Endpoint should be created in the VPC where the lambda will be called or where it will receive the request.

Even, the API Gateway Resource Policies has put it like this:

{
    "Statement": [
        {
            "Principal": "*",
            "Action": [
                "execute-api:Invoke"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

And the VPC endpoint policy to Full access.

2
amazon-web-servicesaws-lambdaamazon-vpc
"It marks error 403." Try to get more context, like a response body accompanying that error, or something from the API Gateway logs for the endpoint you're accessing.Michael - sqlbot
You linked to some API Gateway documentation, but you didn't mention that you are using API Gateway anywhere. Are you trying to create a private API Gateway which will proxy calls to your Lambda function? The answer to your question is entirely different depending on if you are trying to use API Gateway or not.Mark B

2 Answers

3
votes

There are few ways that you can invoke a lambda from another lambda.

Lambda invokes other lambda directly

when you invoke a lambda(caller) from another lambda(callee) using aws-sdk's invoke function, as mentioned on a answer already, the lambda(caller) should have internet connectivity. because aws-sdk calls are by default made over the internet.

Therefore either the lambda should be deployed on a public subnet (not recommended) or you should have a Nat Gateway (or Nat instance is cheaper), so that the lambda can invoke the other lambda over the internet.

Lambda invokes the other lambda through Api Gateway

You don't even need to consider this option if the calling lambda has internet connectivity.

You can indeed create a private VPC endpoint for api gateway in the destination lambda end. Then the calling lambda can make a https call via the VPC endpoint's dns url.

For this to work, your VPC endpoint should be accessible from the other VPC from where you are going to make the http call.

therefore a vpc peering between the VPCs will make it possible. The good news is VPC endpoints are now accessible through vpc peering.

Hope this helps.

Reference: https://aws.amazon.com/about-aws/whats-new/2019/03/aws-privatelink-now-supports-access-over-vpc-peering/

3
votes

To invoke an AWS Lambda function via an API call, the calling entity must have access to the Internet. It doesn't matter whether the calling entity is in the same VPC, a different VPC, or even not in a VPC. All that matters is that the request can be sent to the AWS Lambda API endpoint.

If the calling Lambda function is in a VPC, make sure that it has access to the Internet. This typically requires:

  • The Lambda function is in a private subnet
  • There is a NAT Gateway in a public subnet
  • The Route Table for the private subnet directs 0.0.0.0/0 traffic to the NAT Gateway

Alternatively, if the calling Lambda function is not connected to a VPC, then it automatically receives access to the Internet.

It also does not matter to what the "called" Lambda function is connected (VPC or not). The control plane that activates this Lambda function is on the Internet, which is unrelated to where the Lambda function itself is connected.