Assign a static IP to an #AWS #lambda function
To assign a static ip to Lambda function for outbound requests we need to deploy the lambda function in private subnet of a VPC which will be attach with a NAT gateway. As NAT Gateway is associated with an Elastic IP address so all the traffic from lambda function will be routed via this EIP.
Creating VPC: VPC is a virtual private cloud which consists of below components.
- CIDR block – Range of IP address which you VPC can have. It is defined like 10.0.0.0/16.
For more information on cidr please refer this link : https://www.ionos.com/digitalguide/server/know-how/cidr-classless-inter-domain-routing/
- Subnets – A subnet, or subnetwork, is a segmented piece of a larger network. More specifically, subnets are a logical partition of an IP network into multiple, smaller network segments.
In this solution we have divided our VPC to one public subnet and one private subnet. Based on our requirement we can create multiple public and private subnets in our VPC.
- Route Tables: Each subnet is associated with a route table which defines the inbound and outbound traffic in that subnet.
- Internet Gateway: Public VPCs are the one which are accessible from Internet and to have connectivity from Internet each public subnet attached with an Internet Gateway.
- NAT Gateway: Private Gateways are the one which are not accessible from Internet. We keep our secure servers like Databases, application servers in our private subnet which do not need to directly expose to Internet. But these servers need to send outbound request to Internet for some scenarios like downloading the latest os or security patches. To allow Private subnet to send outbound traffic we need to attach a NAT gateway to Private subnet. This NAT Gateway need to be created in public subnet.
Steps to create VPC:
To calculate CIDR for VPC and subnets you can use this site : https://mxtoolbox.com/subnetcalculator.aspx
This will create a VPC with CIDR range 20.0.0.0/16 and one public subnet with cidr 20.0.1.0/24.
Once your VPC created with a public subnet you will see 2 route tables will be created automatically. One is default and one is attached to your public subnet. You can see which subnet is associated to your route table in details.
Now give your route table proper name so that you can easily identify them.
If you click on your public route table and see Routes then you will see route from 0.0.0.0/0 to internet gateway. This internet Gateway was automatically created while creating the VPC.
If anytime this internet gateway is not created the you can create it from console and attach it to the route table with same configuration as below.
Now as your VPC is created and a public subnet is created, we will create a private subnet.
Goto Subnets- > Create subnet- >enter details.
Now your two subnets are available as below:
Now to we need to create a NAT Gateway and attach it to our private subnet. We must have an Elastic IP created in our account to create a NAT Gateway.
Important Note: NAT Gateway should always be created in a public subnet so that It can have access to Internet.
Once your NAT gateway is created, you need to attach it to your private subnet by adding a route in your private route table.
Click on Edit routes and add a route from 0.0.0.0/0 to your NAT Gateway and save.
Once your route is created now associate your private subnet to this route table.
Goto Subnet Associations – > edit subnet associations-> select your subnet.
Now your VPC is ready with one public subnet and one private subnet.
Create a Lambda execution role for your VPC:
Now you need to create an IAM for your VPC to execute your lambda.
Goto IAM Roles-> create new role- >
For Select type of trusted entity, confirm that AWS service is selected.
For Choose a use case, choose Lambda.
Choose Next: Permissions.
Under Attach permissions policies, search for AWSLambdaVPCAccessExecutionRole. Select the policy with that name. If you lambda need any other permissions then select them and add to your role.
Move your lambda to VPC private subnet:
Change Lambda execution role to newley created role.
Click Edit
Now go to the VPC section of Lambda and edit to point to your VPC and private subnet.
All done and now your lambda will send outbound from EIP of your NAT Gateway.