You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your AWS account. Use Amazon Virtual Private Cloud (Amazon VPC) to create a private network for resources such as databases, cache instances, or internal services. Connect your function to the VPC to access private resources while the function is running.
When you connect a function to a VPC, Lambda assigns your function to a Hyperplane ENI (elastic network interface) for each subnet in your function's VPC configuration. Lambda creates a Hyperplane ENI the first time a unique subnet and security group combination is defined for a VPC-enabled function in an account.
While Lambda creates a Hyperplane ENI, you can't perform additional operations that target the function, such as creating versions or updating the function's code. For new functions, you can't invoke the function until its state changes from Pending
to Active
. For existing functions, you can still invoke an earlier version while the update is in progress. For details about the Hyperplane ENI lifecycle, see Lambda Hyperplane ENIs.
Lambda functions can't connect directly to a VPC with dedicated instance tenancy. To connect to resources in a dedicated VPC, peer it to a second VPC with default tenancy.
Topics
- Managing VPC connections
- Execution role and user permissions
- Configuring VPC access (console)
- Configuring VPC access (API)
- Using IAM condition keys for VPC settings
- Internet and service access for VPC-connected functions
- VPC tutorials
- Sample VPC configurations
This section provides a summary of Lambda VPC connections. For details about VPC networking in Lambda, see VPC networking for Lambda.
Multiple functions can share a network interface, if the functions share the same subnet and security group. Connecting additional functions to the same VPC configuration (subnet and security group) that has an existing Lambda-managed network interface is much quicker than creating a new network interface.
If your functions aren't active for a long period of time, Lambda reclaims its network interfaces, and the functions become Idle
. To reactivate an idle function, invoke it. This invocation fails, and the function enters a Pending
state again until a network interface is available.
If you update your function to access a different VPC, it terminates connectivity from the Hyperplane ENI to the previous VPC. The process to update the connectivity to a new VPC can take several minutes. During this time, Lambda connects funtion invocations to the previous VPC. After the update is complete, new invocations start using the the new VPC and the Lambda function is no longer connected to the older VPC.
For short-lived operations, such as DynamoDB queries, the latency overhead of setting up a TCP connection might be greater than the operation itself. To ensure connection reuse for short-lived/infrequently invoked functions, we recommend that you use TCP keep-alive for connections that were created during your function initialization, to avoid creating new connections for subsequent invokes. For more information on reusing connections using keep-alive, refer to Lambda documentation on reusing connections.
Lambda uses your function's permissions to create and manage network interfaces. To connect to a VPC, your function's execution role must have the following permissions:
Execution role permissions
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
These permissions are included in the AWS managed policy AWSLambdaVPCAccessExecutionRole.
When you configure VPC connectivity, Lambda uses your permissions to verify network resources. To configure a function to connect to a VPC, your AWS Identity and Access Management (IAM) user needs the following permissions:
User permissions
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
- ec2:DescribeVpcs
If your IAM permissions allow you only to create Lambda functions that connect to your VPC, you must configure the VPC when you create the function. If your IAM permissions allow you to create functions that aren't connected to your VPC, you can add the VPC configuration after you create the function.
To configure a VPC when you create a function
-
Open the Functions page of the Lambda console.
-
Choose Create function.
-
Under Basic information, for Function name, enter a name for your function.
-
Expand Advanced settings.
-
Under Network, choose a VPC for your function to access.
-
Choose subnets and security groups. When you choose a security group, the console displays the inbound and outbound rules for that security group. Note
To access private resources, connect your function to private subnets. If your function needs internet access, use network address translation (NAT). Connecting a function to a public subnet doesn't give it internet access or a public IP address. -
Choose Create function.
To configure a VPC for an existing function
-
Open the Functions page of the Lambda console.
-
Choose a function.
-
Choose Configuration and then choose VPC.
-
Under VPC, choose Edit.
-
Choose a VPC, subnets, and security groups. Note
To access private resources, connect your function to private subnets. If your function needs internet access, use network address translation (NAT). Connecting a function to a public subnet doesn't give it internet access or a public IP address. -
Choose Save.
To connect a Lambda function to a VPC, you can use the following API operations:
To create a function and connect it to a VPC using the AWS Command Line Interface (AWS CLI), you can use the create-function
command with the vpc-config
option. The following example creates a function with a connection to a VPC with two subnets and one security group.
aws lambda create-function --function-name my-function \
--runtime nodejs12.x --handler index.js --zip-file fileb://function.zip \
--role arn:aws:iam::123456789012:role/lambda-role \
--vpc-config SubnetIds=subnet-071f712345678e7c8,subnet-07fd123456788a036,SecurityGroupIds=sg-085912345678492fb
To connect an existing function to a VPC, use the update-function-configuration
command with the vpc-config
option.
aws lambda update-function-configuration --function-name my-function \
--vpc-config SubnetIds=subnet-071f712345678e7c8,subnet-07fd123456788a036,SecurityGroupIds=sg-085912345678492fb
To disconnect your function from a VPC, update the function configuration with an empty list of subnets and security groups.
aws lambda update-function-configuration --function-name my-function \
--vpc-config SubnetIds=[],SecurityGroupIds=[]
You can use Lambda-specific condition keys for VPC settings to provide additional permission controls for your Lambda functions. For example, you can require that all functions in your organization are connected to a VPC. You can also specify the subnets and security groups that the function's users can and can't use.
Lambda supports the following condition keys in IAM policies:
- lambda:VpcIds – Allow or deny one or more VPCs.
- lambda:SubnetIds – Allow or deny one or more subnets.
- lambda:SecurityGroupIds – Allow or deny one or more security groups.
The Lambda API operations CreateFunction and UpdateFunctionConfiguration support these condition keys. For more information about using condition keys in IAM policies, see IAM JSON Policy Elements: Condition in the IAM User Guide.
Tip
If your function already includes a VPC configuration from a previous API request, you can send an UpdateFunctionConfiguration
request without the VPC configuration.
The following examples demonstrate how to use condition keys for VPC settings. After you create a policy statement with the desired restrictions, append the policy statement for the target IAM user or role.
To ensure that all users deploy only VPC-connected functions, you can deny function create and update operations that don't include a valid VPC ID.
Note that VPC ID is not an input parameter to the CreateFunction
or UpdateFunctionConfiguration
request. Lambda retrieves the VPC ID value based on the subnet and security group parameters.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceVPCFunction",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Null": {
"lambda:VpcIds": "true"
}
}
}
]
}
To deny users access to specific VPCs, use StringEquals
to check the value of the lambda:VpcIds
condition. The following example denies users access to vpc-1
and vpc-2
.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceOutOfVPC",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"lambda:VpcIds": ["vpc-1", "vpc-2"]
}
}
}
To deny users access to specific subnets, use StringEquals
to check the value of the lambda:SubnetIds
condition. The following example denies users access to subnet-1
and subnet-2
.
{
"Sid": "EnforceOutOfSubnet",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"lambda:SubnetIds": ["subnet-1", "subnet-2"]
}
}
}
To deny users access to specific security groups, use StringEquals
to check the value of the lambda:SecurityGroupIds
condition. The following example denies users access to sg-1
and sg-2
.
{
"Sid": "EnforceOutOfSecurityGroups",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"lambda:SecurityGroupIds": ["sg-1", "sg-2"]
}
}
}
]
}
To allow users to access specific VPCs, use StringEquals
to check the value of the lambda:VpcIds
condition. The following example allows users to access vpc-1
and vpc-2
.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceStayInSpecificVpc",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"lambda:VpcIds": ["vpc-1", "vpc-2"]
}
}
}
To allow users to access specific subnets, use StringEquals
to check the value of the lambda:SubnetIds
condition. The following example allows users to access subnet-1
and subnet-2
.
{
"Sid": "EnforceStayInSpecificSubnets",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"lambda:SubnetIds": ["subnet-1", "subnet-2"]
}
}
}
To allow users to access specific security groups, use StringEquals
to check the value of the lambda:SecurityGroupIds
condition. The following example allows users to access sg-1
and sg-2
.
{
"Sid": "EnforceStayInSpecificSecurityGroup",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"lambda:SecurityGroupIds": ["sg-1", "sg-2"]
}
}
}
]
}
By default, Lambda runs your functions in a secure VPC with access to AWS services and the internet. Lambda owns this VPC, which isn't connected to your account's default VPC. When you connect a function to a VPC in your account, the function can't access the internet unless your VPC provides access.
Note
Several AWS services offer VPC endpoints. You can use VPC endpoints to connect to AWS services from within a VPC without internet access.
Internet access from a private subnet requires network address translation (NAT). To give your function access to the internet, route outbound traffic to a NAT gateway in a public subnet. The NAT gateway has a public IP address and can connect to the internet through the VPC's internet gateway. An idle NAT gateway connection will time out after 350 seconds. For more information, see How do I give internet access to my Lambda function in a VPC?
In the following tutorials, you connect a Lambda function to resources in your VPC.
- Tutorial: Configuring a Lambda function to access Amazon RDS in an Amazon VPC
- Tutorial: Configuring a Lambda function to access Amazon ElastiCache in an Amazon VPC
You can use the following sample AWS CloudFormation templates to create VPC configurations to use with Lambda functions. There are two templates available in this guide's GitHub repository:
- vpc-private.yaml – A VPC with two private subnets and VPC endpoints for Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB. Use this template to create a VPC for functions that don't need internet access. This configuration supports use of Amazon S3 and DynamoDB with the AWS SDKs, and access to database resources in the same VPC over a local network connection.
- vpc-privatepublic.yaml – A VPC with two private subnets, VPC endpoints, a public subnet with a NAT gateway, and an internet gateway. Internet-bound traffic from functions in the private subnets is routed to the NAT gateway using a route table.
To create a VPC using a template, on the AWS CloudFormation console Stacks page, choose Create stack, and then follow the instructions in the Create stack wizard.