I am working on a project where my main lambda function is in a VPC in private subnet and some sister lambda functions in a different VPC which are in their own private subnets. How can I go about calling these sister lambdas's from the main lambda across VPC without giving internet access to each of them via a NAT gateway linking to a public subnet which has an internet gateway attached to it. Other AWS services that my main lambda invokes are: 1. S3 2. Dynamodb 3. Autoscaling 4. ECS 5. RDS
1 Answers
1
votes
This can be done, but there are some complex steps involved.
First of all, when you use aws-sdk, the calls are made through the internet. To avoid this situation and access the services within the AWS network, The AWS has introduced some private VPC endpoints. I have only used S3 and API gateway private endpoints to date. But there is more type of VPC endpoints.
This is how I would do today,
- setup a private API gateway API to invoke lambda - The private API's are only accessible through a private VPC endpoint for API gateway.
- create a private VPC endpoint for API gateway.
- setup VPC peering between the VPCs
- (from the sister lambda on other VPC) invoke the API through the VPC endpoints public DNS URL
The drawback of adding an API in front of the lambda is, the API has a hard timeout of 29 seconds.
hope this helps.
