By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

HTTP API private integration with vpc lambda functions

0

Hi team,

I have a private-only VPC, that contains a lambda function, this lambda function is fronted by an HTTP API GW

I saw in the documentation that HTTP API gw integrates only with ALB/NLB and cloud map via VPC link to access private resources in a VPC (no lambda integration),

Is there a way that HTTP API can access privately my lambda function running inside my vpc without using vpc link( since vpc link cannot integrate with lambda)?

as HTTP API doesn't support private endpoints like the rest API, and also doesn't support resource policy, is there any other way to restrict access to it from partner VPC?

Thank you for your help!

Topics
Networking & Content DeliveryServerlessComputeFront-End Web & MobileMicroservices
Tags
Amazon VPCAWS LambdaAmazon API GatewayNetworking & Content DeliveryMicroservices
Language
English
JessDL
asked 8 months ago508 views
2 Answers
0

Lambda functions, regardless if attached to your VPC or not, are actually running on the Lambda service VPC. The ONLY way to invoke them, is using the Lambda service Public Invoke API. This means that if you need to integrate API Gateway with a Lambda function, regardless if in the VPC or not, you need to use the Lambda integration option.

To restrict access to an HTTP API, you need to use an authorization method that the partenr doesn't have. In your example, I am guessing that the clients calling the API are actually server components, you can use an IAM authorizer. The partner should not have a role that allows them to invoke the API.

profile pictureAWS
EXPERT
Uri
answered 8 months ago
  • JessDL
    8 months ago

    Thank you for your answer! Sorry i did not fully understand this "You need to use an authorization method that the partner doesn't have", "The partner should not have a role that allows them to invoke the API"

    I'm exposing a rest service via HTTP API GW backed by lambda to generate a pre-signed URL , this rest service is consumed by a third party( salesforce)

    (I'm thinking to use HTTP API gw not REST API GW) and I don't have the right to add any IAM user on the AWS account

  • Uri EXPERT
    8 months ago

    I understand. In that case, you will need to use some other authorizer. It can be a JWT authorizer, or maybe a Lambda authorizer, that will check some secret value. Of course, if there is private network connectivity between Salesforce and your VPC, you can use a Private REST API instead.

0

Is there a way that HTTP API can access privately my Lambda function running inside my VPC without using VPC link (since VPC link cannot integrate with lambda)?

Please note that you can configure an Application Load Balancer as a function trigger, grant Elastic Load Balancing permission to run the function, create a target group that routes requests to the function, and add a rule to the load balancer that sends requests to the target group [1], and then create a private integration that connects to a load balancer by using a VPC link.

To create a target group and register the Lambda function using the new console, follow steps below [2]:

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
  2. On the navigation pane, under LOAD BALANCING, choose Target Groups.
  3. Choose Create target group.
  4. For Choose a target type, select Lambda function.
  5. For Target group name, type a name for the target group.
  6. (Optional) To enable health checks, choose Enable in the Health checks section.
  7. (Optional) Add one or more tags
  8. Choose Next.
  9. Specify a single Lambda function or omit this step and specify a Lambda function later.
  10. Choose Create target group.

Alternatively, you create a target group and register the Lambda function using the AWS CLI:

Use the create-target-group and register-targets commands.

Then you can use the following command to create a private integration that connects to a load balancer by using a VPC link:

aws apigatewayv2 create-integration --api-id api-id --integration-type HTTP_PROXY \
    --integration-method GET --connection-type VPC_LINK \
    --connection-id VPC-link-ID \
    --integration-uri <LOAD_BALANCER_ARN_URI>
    --payload-format-version 1.0

To grant Elastic Load Balancing permission to run the function you can use the add-permission command below to add a permission statement to your function's resource-based policy.

aws lambda add-permission --function-name alb-function \
--statement-id load-balancer --action "lambda:InvokeFunction" \
--principal elasticloadbalancing.amazonaws.com \

As HTTP API doesn't support private endpoints like the REST API, and also doesn't support resource policy, is there any other way to restrict access to it from partner VPC?

Since HTTP API does not not have support for private endpoints and resource policies, you can use mTLS(Mutual TLS authentication) to protect your HTTP API. mTLS requires two-way authentication between the client and the server.

References:

  1. https://docs.aws.amazon.com/lambda/latest/dg/services-alb.html
  2. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html#register-lambda-function
  3. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html
Thomas_M
answered 8 months ago
  • JessDL
    8 months ago

    Thank you for your answer,

    I use ELB that routes requests to the function even though I have only one lambda function behind?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content