Lambda in VPC -- NAT Gateway example
This Serverless service shows how to configure a Lambda function in a VPC with public internet access by using a NAT Gateway. It will configure all necessary VPC resources and deploy a Lambda function in the VPC. The VPC will demonstrate that it has internet access by using Amazon SNS to send an SMS message.
To use this example, run the following steps. You must have the Serverless Framework installed.
Create a new service from this repository and install the dependencies.
serverless create --template-url https://github.com/alexdebrie/serverless-vpc-examples/tree/master/nat-gateway --path nat-gateway cd nat-gateway npm i
SMS_NUMBERenvironment variable in the
serverless.ymlfile to use the SMS number where you want to send a message.
Deploy your service.
In your terminal, run:
This will take a few minutes to provision the VPC resources.
Invoke your function to send the SMS message.
In your terminal, run:
serverless invoke -f sendText
You should receive an SMS message to the number provided.
serverless.yml file is creating the following resources:
- A VPC;
- Two public subnets and two private subnets. The Lambda functions will use the private subnets, but the NAT Gateways will be in the public subnets.
- An Internet Gateway and a VPC Gateway Attachment to connect the Gateway to the VPC. The Internet Gateway will allow public internet access for the public subnets.
- RouteTables and Subnet Route Table Associations to associate each subnet with a route table.
- Routes in the public subnet route tables that direct traffic through the Internet Gateway.
- Two Elastic IP Addresses that will be assigned to our NAT Gateways.
- Two NAT Gateways that will be used to connect our private subnets to the public internet.
- Routes in the private subnet route tables to route traffic through the NAT Gateways.
- A Security Group to give to our Lambda function.
The general architecture is as follows:
Our Lambda functions are (functionally) in the private subnets of our VPC. Their web requests are routed through the NAT Gateway into the public subnet where the traffic can go through the internet gateway to the public internet. With public internet access, our Lambda function has access AWS services like SNS.
In our Lambda function configuration, we use the private subnet IDs and the security group ID to configure our Lambda function to be in a VPC.
This is a lot of resources and can be quite confusing if you're not a networking wizard. Both the VPC resources and the Lambda function are combined in this example stack for ease of demonstration. For production use cases, I would recommend splitting the VPC configuration into a different CloudFormation stack altogether. You could refer to the exported values from that stack in your Serverless service.