Use case:

  • For users wanting to put their Lambda functions into a dedicated VPC, but still use the IOpipe platform. This is a more secure way to run Lambda functions away from your other AWS resources.

Requirements:

  • Dedicated VPC setup for your Lambda functions.
  • Minimum 2 subnets (3 preferred for Lambda HA)
  • 1 subnet setup as a "public" subnet, that provides internet access through the default VPC Internet Gateway
  • NAT Gateway setup in the "public" subnet.
  • 1 or more subnets setup as the "private" Lambda subnets.

Architecture:

How to:

In this setup you will need to have familiarity with Amazon VPC setup. When you initially create the new VPC for isolating your lambda functions you would want to run a similar setup to the architecture diagram above.

Amazon has very strict rules when using Lamdas in a dedicated VPC. They cannot use the standard VPC Internet Gateway to access the outside world. This also means the Lambdas cannot be assigned public IP's. Because of this we have to use the NAT Gateway in the new dedicated VPC.

For the IOpipe agent to be able to reach the IOpipe APIs, you need to make sure the isolated private Lambda subnets can talk through the NAT Gateway. To set this up you would need to do the following:

1.  Setup the dedicated VPC following AWS Tutorials: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html

2.  Create at least 3 subnets as in the architecture diagram above:

  • Create one "public" subnet in any availability zone.  This subnet will be where you create the NAT Gateway.  The "public" subnet should be associated to the default routing table and should point to the Internet Gateway that is created by default when creating a new VPC from above:
  • Create two "private" subnets.  These two subnets should be in different AZ's from themselves and from the "public" subnet.  This enabled HA for Lambda which should be used in almost all use cases.

3.  Create the NAT Gateway following AWS Tutorials:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html#nat-gateway-creating

  • NOTE: The NAT Gateway should be created in the "public" subnet so that itself can reach the internet, and so you can assign an Elastic IP to it.  The elastic IP assigned to this will be the public NAT IP seen by outside resources

4.  Once the NAT Gateway is setup, you need to create a second routing table for your dedicated VPC.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html#CustomRouteTable

5. After the new routing table is created, associate the two "private" lambda subnets and add a default route and point it to the newly created NAT Gateway:

  • Make sure that the NAT Gateway name is correct and not mistaken for the Internet Gateway

6.  The last step is set your security groups for the VPC to allow outbound requests to port 443, along with DNS name resolution. Lastly you will need to allow for other ports as needed for any external resources.

7.  You can do more advanced items with this setup such as VPC peering, so you can allow communication between multiple VPCs inside your AWS account. You can see such tutorials at: http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html


If you find any out of date info, errors, or just have any other questions, you can hit up our engineers and our community of users directly on Slack

Did this answer your question?