A customer has Lambda functions connected to a VPC, which has connectivity (either DirectConnect/VPN) back to his on-prem resources.
He is using the Lambda functions to make an API call back to his on-prem resources but has been advised by his Security Team that the allowlisting fw rules on the target side (on-prem) should not be too broad. As such, ideally he will want to allowlist just a single PRIVATE IP.
Typically, if the Lambda functions are connected to the private subnet in a VPC and make use of a NAT gateway to traverse the public internet, they can just allowlist the NAT gateway public IP.
However, in his case - since his API calls from Lambda will make use of DirectConnect/VPN back to his on-prem resources, what other advice can we provide him that will satisfy his Security Team?
AFAIK, since the ENIs associated with the Lambda functions in a VPC are not static and the Lambda functions can use any IP within the subnet range, do we have any other options apart from using the smallest /28 private subnet for his Lambda and allowlisting that range?