Lambda VPC Primer

AWS just announced support for Lambda access to VPC protected resources. This effectively means that your Lambda functions will run inside of a VPC and have access to any private IP and firewall resources you may be running, such as RDS instances which restrict by IP. It also means you can effectively manage the IPs your Lambda function will use, giving you a huge amount of control over Lambda functions and gaining the ability to provide static IPs to your lambda functions when used in conjunction with VPC NATs.

UPDATE: Your VPC Lambda subnets MUST be behind a NAT. At this time it looks like the "Auto Assign Public IP" function using an internet gateway directly does not work.

Before you begin, it’s important to note that a VPC Lambda function needs some special access to be able to create resources inside of your VPC. Fortunately, these resources are all managed in a single Managed Policy Group, so the first step is to create a new Role specifically for your VPC function and assign the “AWSLambdaVPCAccessExecutionRole” managed policy.

In your AWS Console, go to “Services -> Security & Identity -> IAM”:

In the left menu, choose “Roles”:
Click the “Create New Role” button:

Fill out the Role Name, I prefer to start every Lambda role with “lambda_”, then click continue:

Under the “Select Role Type”, choose “AWS Lambda”:

Now the important part, on the next page under “Attach Policy” search for “lambda” in the search box, and find and check the “AWSLambdaVPCAccessExecutionRole”, then hit “Create”:

This policy adds some very important access rights to your Lambda function. It replaces the “AWSLambdaBasicExecutionRole”, so if you’re upgrading an existing role you can use this instead of that policy. This policy gives your Lambda function access to write logs to CloudWatch Logs, and to create resources in your VPC. It’s important to create this role BEFORE you try to create your lambda function, as you will need to reference it in the very first step of your lambda function creation.

On the Lambda console, you will notice a new section when creating a function, which allows you to choose a VPC:

Choose your VPC and new options will show up, allowing you to choose Subnets and security groups for your lambda function.

Note that you don’t need to add any inbound rules for your security group to your lambda function, but you can use this security group to grant access to other VPC resources that your Lambda functions need to be able to access. For example, if you have an RDS instance that grants access to only specific security groups, you could make a new security group called “Lambda” and add that to the grants in your RDS instance’s security group.

Remember, before you go to create your new Lambda VPC function, make sure you set up your role to support Lambda VPC access!