-
Notifications
You must be signed in to change notification settings - Fork 2.4k
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lambda as ALB target in Cloudformation #721
Comments
Went through the documentations. Not sure if it is updated either. Can you please add the SAM template ability to specify ALB feature for Lambda |
Yes please SAM ALB is needed. Discontinuing use of API Gateway due to high cost, transitioning to ALB. |
Any update on this feature request ? |
Another request to the AWS team to prioritize this! |
Another request. Thanks! |
Absolutely. At a minimum we could add a new Would love to get some more feedback from everyone on this, including some SAM syntax. |
@brettstack Ideally, what I was hoping is if SAM can create the entire ALB and register Lambda as target. Probably following might be capabilities required:
I am not exactly sure which of the above features are already available in SAM. So, please correct me if anything above is redundant. Currently, I was using a workaround by creating a Lambda function which does all these operations and was invoking that lambda wherever required. However, the feature being available in SAM would be really handy in directly leveraging it within the SAM template. |
@rsram312 that's very useful. Do you have an existing minimal template that includes all of those required resources? |
@brettstack The sample template I was using as workaround leverages boto3 to create those resources. If it might be of any use, I could probably send it over. |
For me the preference is in specifying an existing ALB and getting the target group and permissions created by SAM. |
I like what @deleugpn suggests - seems like the most natural way to go about it. |
We will try to accommodate all scenarios.
|
I'm not sure if it would be possible, but I would guess that the following would be quite an amazing syntax:
I don't know if I would need to specify anything else other than this. The expected result would be something similar to this:
|
The valid range of priorities is from 1 - 50,000. One approach we could take to this is to default the value to a random number 40,000 to 50,000 catch the exception of an already used priority and choose again. As long as the path / domain is unique, the priority should not matter. |
SAM would be limited to deploy up to 10,000 lambdas on a single Listener, I guess that's fine. |
Hello, is SAM supports event from ALB now ?
|
This is still an issue. I get the same errors as @ravibarkhani It's been 4 months since Lambda targets for ALBs was announced, and Cloudformation is lagging behind. |
You can use any cloudformation resource in your SAM templates; SAM does not alter these resources. You should be able to use any new feature from CFN in SAM without a SAM update unless an update is required to one of the If this doesn't work, it's an issue with either the configuration or CFN support, not SAM. |
CloudFormation got ALB->Lambda support in the last release (https://aws.amazon.com/about-aws/whats-new/2019/04/aws-cloudformation-coverage-updates-for-amazon-ec2--amazon-ecs-a/). Here is a sample code how to use them: https://github.com/s0enke/cloudformation-templates/blob/master/templates/lambda-alb-sam-sample.yaml |
Thanks @deleugpn for the proposed syntax #721 (comment) and @s0enke for the example. How might the input and output look for defining multiple paths/methods like we do for Api event? That is, we should allow defining the Rule for advanced configuration, but for common use-cases (e.g map this Path) we should provide simpler syntax which creates the necessary resources for you. |
Thanks @s0enke for putting that together, I've gone one step further to add custom subdomain and auth0 authentication to the template, enjoy: |
@s0enke Thanks for that sample code. For Rails & Lambda using SAM, we were able to side step official support for this by just using CloudFormation. For the Lamby/Rails community, we had no need to for the So maybe this helps shape what is needed for SAM to support this? How much should SAM build? I feel these are two distinct questions below after going thru this exercise with Lamby.
|
+1 |
I'm concerned that the example, along with any examples I've found, for how to use Lambda behind an ALB leaves the lambda open to execution from any loadbalancer on AWS. The examples in this rails app do not show how to use Edited: The lambda is access to the entire account, not the world |
Hey Michael,
you can use lambda behind lambda, using few methods
- alb subnets in private subnet
- restrict alb with WAF + ipwhitelist to your VPC and NAT cidr
- restrict alb with WAF + api gateway header check rule
- restrict the alb sg to your vpc cidr only
hope above helps.
regards,
ram
…On Sat, Aug 10, 2019 at 8:24 AM Michael Neil ***@***.***> wrote:
I'm concerned that the example, along with any examples I've found, for
how to use Lambda behind an ALB leaves the lambda open to execution from
*any* loadbalancer on AWS. The examples in this rails app do not show how
to use SourceAccount or SourceArn to restrict access. I have been unable
to launch a lambda using either of those restrictions behind an ALB
successfully. Could someone update the example, or provide an example, of
how to use lambda behind an ALB that does not allow access to the world?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#721>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACRZW6ZKNC574PM3GV7JFUDQDXVDPANCNFSM4GKMLMNQ>
.
|
Thanks for the feedback @mneil! Could you send us some links to the examples you are referring to? |
BTW due to the long timeframe on this I’m using Serverless for ALB/lambda projects: I’d suggest taking inspiration from their syntax - it’s pretty nice! |
I also stopped recommending SAM as the go-to tool for serverless deployment. AWS is developing and marketing serverless A LOT but lagging behind on CloudFormation / SAM A LOT as well. 3rd party tools are doing a much better job at supporting AWS-provided features than AWS themselves. |
Plus one from me on this. I'm breaking up a stack currently and taking a set of my endpoints off an API Gateway and moving them behind an ALB. Based on another stack where I did an ALB->Lambda stack, I need to build the following resources into my template to make this work:
That's... a lot of stuff. Really, AWS needs to make ALBs a true serverless service and remove the requirements for an underlying VPC. This all becomes much simpler then. Until such time, SAM has an opportunity to abstract this boilerplate madness away in a simplified syntax. |
@mneil The only way I've found to restrict access to the Lambda to a specific target group is to name the target group and use a wildcard in the SourceArn on the Permission:
This allows the permission to be created before the Target Group (which otherwise fails because of the missing permission) and prevents a circular reference. Unfortunately it does mean naming the target group, which isn't idea, and you can't match on the full ARN. You can modify the permission to add the SourceARN after the fact (and that could be done within a custom resource). I took a look at what the Serverless Framework was doing for this because at first it appeared they had somehow worked around this problem - but actually what they are doing is first creating a permission without a SourceARN that the Target Group depends upon, and then they add a second permission that uses the SourceARN after the Target Group has been created. This doesn't increase security, but does make the ALB show up as the event source for the Lambda in the Console. (which if you use the wildcard SourceARN, you get an error about it not matching a Target group, but it does appear to work, and I assume the restriction works, but I haven't verified that). |
For supporting ALBs as a source in SAM, I've been experimenting with a CloudFormation macro that accepts events like this: Events:
AlbApi:
Type: ALB
Properties:
Host: abc.def.com
ListenerArn: !Ref ListenerArn
Priority: 123 I'm following the basic pattern of how the different events work, and then using the Serverless Framework as inspiration for the property names. I'm assuming that the Listener already exists and is shared for multiple lambdas, so I'm just generating the permission, target group and listener rule. I think automatically generating the ALB and listeners with an appropriate security group etc. just from the events would be difficult. |
@andrewdmay I did a similar thing (and so far have made the same assumption re: pre-existing listener) and it’s been working very well for us. |
Any updates here? We need this feature because API Gateway has a hard timeout limit of 30 seconds |
@samirhsnv I believe this ticket is about making it easier, however it's already possible to deploy your Lambda behind ALB using CFN. You can see an example here: https://blog.deleu.dev/running-lambda-behind-application-load-balancer/ |
Any updates here? |
Hi, is there any progress on this? Would to very useful to have this support, thanks |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Hi,
Could you please add the cloudformation and SAM the ability to specify an events for lambda which is an Application Load Balancer ?
Thanks.
The text was updated successfully, but these errors were encountered: