docs.aws.amazon.com
Open in
urlscan Pro
54.239.23.208
Public Scan
Submitted URL: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring
Effective URL: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
Submission: On September 01 via api from US
Effective URL: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
Submission: On September 01 via api from US
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use cookies and similar tools to enhance your experience, provide our
services, deliver relevant advertising, and make improvements. Approved third
parties also use these tools to help us deliver advertising and provide certain
site features.
CustomizeAccept all
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice
.
CancelSave preferences
English
Sign In to the Console
1. AWS
2. ...
3. Documentation
4. AWS Lambda
5. Developer Guide
Feedback
Preferences
AWS Lambda
Developer Guide
* What is AWS Lambda?
* Setting up
* Getting started
* Create a function
* Create a function defined as a container image
* Lambda foundations
* Concepts
* Features
* Programming model
* Function scaling
* Deployment packages
* Lambda console
* Lambda CLI
* Lambda Quotas
* Permissions
* Execution role
* Resource-based policies
* User policies
* Resources and conditions
* Permissions boundaries
* Configuring functions
* Creating functions (.zip packages)
* Creating layers
* Creating functions (container images)
* Configuring function options
* Environment variables
* Versions
* Aliases
* Managing functions
* Concurrency
* Network
* Interface VPC endpoints
* Database
* File system
* Code signing
* Tags
* Using layers
* Invoking functions
* Synchronous invocation
* Asynchronous invocation
* Event source mapping
* Function states
* Error handling
* Using extensions
* Invoking functions defined as container images
* Mobile SDK for Android
* Tutorial
* Sample code
* Lambda applications
* Manage applications
* Tutorial – Create an application
* Rolling deployments
* Use cases
* Best practices
* Lambda runtimes
* Runtime support policy
* Execution environment
* Container images
* Runtime API
* Extensions API
* Logs API
* Runtime modifications
* Custom runtimes
* Tutorial – Custom runtime
* AVX2 vectorization
* Container images
* Creating images
* Testing images
* Working with other services
* Alexa
* API Gateway
* Tutorial
* Sample code
* Microservice blueprint
* Sample template
* CloudTrail
* CloudTrail logs
* Tutorial
* Sample code
* CloudWatch Events
* Tutorial
* Sample template
* Schedule expressions
* CloudWatch Logs
* CloudFormation
* CloudFront (Lambda@Edge)
* CodeCommit
* CodePipeline
* Cognito
* Config
* Connect
* DynamoDB
* Tutorial
* Sample code
* Sample template
* EC2
* Tutorial – Spot Instances
* ElastiCache
* Elastic Load Balancing
* EFS
* IoT
* IoT Events
* Apache Kafka
* Kinesis Firehose
* Kinesis Streams
* Tutorial
* Sample code
* Sample template
* Lex
* MQ
* MSK
* RDS
* Tutorial
* S3
* Tutorial: Use an S3 trigger
* Tutorial: Use an S3 trigger to create thumbnails
* Sample SAM template
* S3 Batch
* Secrets Manager
* SES
* SNS
* Tutorial
* Sample code
* SQS
* Tutorial
* Sample code
* Sample template
* X-Ray
* Orchestrating functions
* Application patterns
* Manage state machines
* Orchestration examples
* Samples
* Blank function
* Error processor
* List manager
* Working with Node.js
* Handler
* Deploy .zip file archives
* Deploy container images
* Context
* Logging
* Errors
* Tracing
* Working with Python
* Handler
* Deploy .zip file archives
* Deploy container images
* Context
* Logging
* Errors
* Tracing
* Working with Ruby
* Handler
* Deploy .zip file archives
* Deploy container images
* Context
* Logging
* Errors
* Tracing
* Working with Java
* Handler
* Deploy .zip file archives
* Deploy container images
* Context
* Logging
* Errors
* Tracing
* Tutorial - Eclipse IDE
* Sample apps
* Working with Go
* Handler
* Context
* Deploy .zip file archives
* Deploy container images
* Logging
* Errors
* Tracing
* Environment variables
* Working with C#
* Handler
* Deployment package
* .NET Core CLI
* AWS Toolkit for Visual Studio
* Deploy container images
* Context
* Logging
* Errors
* Tracing
* Working with PowerShell
* Development Environment
* Deployment package
* Handler
* Context
* Logging
* Errors
* Monitoring
* Monitoring console
* Function insights
* Function metrics
* Function logs
* Code profiler
* Example workflows
* Security
* Data protection
* Identity and access management
* How AWS Lambda works with IAM
* Identity-based policy examples
* Troubleshooting
* Compliance validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* Troubleshooting
* Deployment
* Invocation
* Execution
* Networking
* Container images
* Releases
* API reference
* Actions
* AddLayerVersionPermission
* AddPermission
* CreateAlias
* CreateCodeSigningConfig
* CreateEventSourceMapping
* CreateFunction
* DeleteAlias
* DeleteCodeSigningConfig
* DeleteEventSourceMapping
* DeleteFunction
* DeleteFunctionCodeSigningConfig
* DeleteFunctionConcurrency
* DeleteFunctionEventInvokeConfig
* DeleteLayerVersion
* DeleteProvisionedConcurrencyConfig
* GetAccountSettings
* GetAlias
* GetCodeSigningConfig
* GetEventSourceMapping
* GetFunction
* GetFunctionCodeSigningConfig
* GetFunctionConcurrency
* GetFunctionConfiguration
* GetFunctionEventInvokeConfig
* GetLayerVersion
* GetLayerVersionByArn
* GetLayerVersionPolicy
* GetPolicy
* GetProvisionedConcurrencyConfig
* Invoke
* InvokeAsync
* ListAliases
* ListCodeSigningConfigs
* ListEventSourceMappings
* ListFunctionEventInvokeConfigs
* ListFunctions
* ListFunctionsByCodeSigningConfig
* ListLayers
* ListLayerVersions
* ListProvisionedConcurrencyConfigs
* ListTags
* ListVersionsByFunction
* PublishLayerVersion
* PublishVersion
* PutFunctionCodeSigningConfig
* PutFunctionConcurrency
* PutFunctionEventInvokeConfig
* PutProvisionedConcurrencyConfig
* RemoveLayerVersionPermission
* RemovePermission
* TagResource
* UntagResource
* UpdateAlias
* UpdateCodeSigningConfig
* UpdateEventSourceMapping
* UpdateFunctionCode
* UpdateFunctionConfiguration
* UpdateFunctionEventInvokeConfig
* Data Types
* AccountLimit
* AccountUsage
* AliasConfiguration
* AliasRoutingConfiguration
* AllowedPublishers
* CodeSigningConfig
* CodeSigningPolicies
* Concurrency
* DeadLetterConfig
* DestinationConfig
* Environment
* EnvironmentError
* EnvironmentResponse
* EventSourceMappingConfiguration
* FileSystemConfig
* FunctionCode
* FunctionCodeLocation
* FunctionConfiguration
* FunctionEventInvokeConfig
* ImageConfig
* ImageConfigError
* ImageConfigResponse
* Layer
* LayersListItem
* LayerVersionContentInput
* LayerVersionContentOutput
* LayerVersionsListItem
* OnFailure
* OnSuccess
* ProvisionedConcurrencyConfigListItem
* SelfManagedEventSource
* SourceAccessConfiguration
* TracingConfig
* TracingConfigResponse
* VpcConfig
* VpcConfigResponse
* AWS glossary
Configuring a Lambda function to access resources in a VPC - AWS Lambda
AWSDocumentationAWS LambdaDeveloper Guide
Execution role and user permissionsConfiguring VPC access (console)Configuring
VPC access (API)Using IAM condition keys for VPC settingsInternet and service
access for VPC-connected functionsVPC tutorialsSample VPC configurations
CONFIGURING A LAMBDA FUNCTION TO ACCESS RESOURCES IN A VPC
PDF
Kindle
RSS
You can configure a Lambda function to connect to private subnets in a virtual
private cloud (VPC) in your AWS account. Use Amazon Virtual Private Cloud
(Amazon VPC) to create a private network for resources such as databases, cache
instances, or internal services. Connect your function to the VPC to access
private resources while the function is running.
When you connect a function to a VPC, Lambda creates an elastic network
interface for each subnet in your function's VPC configuration. This process can
take several minutes.
While Lambda creates a network interface, you can't perform additional
operations that target the function, such as creating versions or updating the
function's code. For new functions, you can't invoke the function until its
state changes from Pending to Active. For existing functions, you can still
invoke an earlier version while the update is in progress. For more information
about function states, see Monitoring the state of a function with the Lambda
API.
Multiple functions can share a network interface, if the functions share the
same subnet and security group. Connecting additional functions to a subnet that
has an existing Lambda-managed network interface is much quicker than having
Lambda create additional network interfaces. However, if you have many functions
or functions with high network usage, Lambda might still create additional
network interfaces.
If your functions aren't active for a long period of time, Lambda reclaims its
network interfaces, and the functions become Idle. To reactivate an idle
function, invoke it. This invocation fails, and the function enters a Pending
state again until a network interface is available.
Lambda functions can't connect directly to a VPC with dedicated instance
tenancy. To connect to resources in a dedicated VPC, peer it to a second VPC
with default tenancy.
Sections
* Execution role and user permissions
* Configuring VPC access (console)
* Configuring VPC access (API)
* Using IAM condition keys for VPC settings
* Internet and service access for VPC-connected functions
* VPC tutorials
* Sample VPC configurations
EXECUTION ROLE AND USER PERMISSIONS
Lambda uses your function's permissions to create and manage network interfaces.
To connect to a VPC, your function's execution role must have the following
permissions:
Execution role permissions
* ec2:CreateNetworkInterface
* ec2:DescribeNetworkInterfaces
* ec2:DeleteNetworkInterface
These permissions are included in the AWS managed policy
AWSLambdaVPCAccessExecutionRole.
When you configure VPC connectivity, Lambda uses your permissions to verify
network resources. To configure a function to connect to a VPC, your AWS
Identity and Access Management (IAM) user needs the following permissions:
User permissions
* ec2:DescribeSecurityGroups
* ec2:DescribeSubnets
* ec2:DescribeVpcs
CONFIGURING VPC ACCESS (CONSOLE)
If your IAM permissions allow you only to create Lambda functions that connect
to your VPC, you must configure the VPC when you create the function. If your
IAM permissions allow you to create functions that aren't connected to your VPC,
you can add the VPC configuration after you create the function.
To configure a VPC when you create a function
1. Open the Functions page on the Lambda console.
2. Choose Create function.
3. Under Basic information, for Function name, enter a name for your function.
4. Expand Advanced settings.
5. Under Network, choose a VPC for your function to access.
6. Choose subnets and security groups. When you choose a security group, the
console displays the inbound and outbound rules for that security group.
Note
To access private resources, connect your function to private subnets. If
your function needs internet access, use network address translation (NAT).
Connecting a function to a public subnet doesn't give it internet access or
a public IP address.
7. Choose Create function.
To configure a VPC for an existing function
1. Open the Functions page on the Lambda console.
2. Choose a function.
3. Choose Configuration and then choose VPC.
4. Under VPC, choose Edit.
5. Choose a VPC, subnets, and security groups.
Note
To access private resources, connect your function to private subnets. If
your function needs internet access, use network address translation (NAT).
Connecting a function to a public subnet doesn't give it internet access or
a public IP address.
6. Choose Save.
CONFIGURING VPC ACCESS (API)
To connect a Lambda function to a VPC, you can use the following API operations:
* CreateFunction
* UpdateFunctionConfiguration
To create a function and connect it to a VPC using the AWS Command Line
Interface (AWS CLI), you can use the create-function command with the vpc-config
option. The following example creates a function with a connection to a VPC with
two subnets and one security group.
aws lambda create-function --function-name my-function \
--runtime nodejs12.x --handler index.js --zip-file fileb://function.zip \
--role arn:aws:iam::123456789012:role/lambda-role \
--vpc-config SubnetIds=subnet-071f712345678e7c8,subnet-07fd123456788a036,SecurityGroupIds=sg-085912345678492fb
To connect an existing function to a VPC, use the update-function-configuration
command with the vpc-config option.
aws lambda update-function-configuration --function-name my-function \
--vpc-config SubnetIds=subnet-071f712345678e7c8,subnet-07fd123456788a036,SecurityGroupIds=sg-085912345678492fb
To disconnect your function from a VPC, update the function configuration with
an empty list of subnets and security groups.
aws lambda update-function-configuration --function-name my-function \
--vpc-config SubnetIds=[],SecurityGroupIds=[]
USING IAM CONDITION KEYS FOR VPC SETTINGS
You can use Lambda-specific condition keys for VPC settings to provide
additional permission controls for your Lambda functions. For example, you can
require that all functions in your organization are connected to a VPC. You can
also specify the subnets and security groups that the function's users can and
can't use.
Lambda supports the following condition keys in IAM policies:
* lambda:VpcIds – Allow or deny one or more VPCs.
* lambda:SubnetIds – Allow or deny one or more subnets.
* lambda:SecurityGroupIds – Allow or deny one or more security groups.
The Lambda API operations CreateFunction and UpdateFunctionConfiguration support
these condition keys. For more information about using condition keys in IAM
policies, see IAM JSON Policy Elements: Condition in the IAM User Guide.
Tip
If your function already includes a VPC configuration from a previous API
request, you can send an UpdateFunctionConfiguration request without the VPC
configuration.
EXAMPLE POLICIES WITH CONDITION KEYS FOR VPC SETTINGS
The following examples demonstrate how to use condition keys for VPC settings.
After you create a policy statement with the desired restrictions, append the
policy statement for the target IAM user or role.
ENSURE THAT USERS DEPLOY ONLY VPC-CONNECTED FUNCTIONS
To ensure that all users deploy only VPC-connected functions, you can deny
function create and update operations that don't include a valid VPC ID.
Note that VPC ID is not an input parameter to the CreateFunction or
UpdateFunctionConfiguration request. Lambda retrieves the VPC ID value based on
the subnet and security group parameters.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceVPCFunction",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"Null": {
"lambda:VpcIds": "true"
}
}
}
]
}
DENY USERS ACCESS TO SPECIFIC VPCS, SUBNETS, OR SECURITY GROUPS
To deny users access to specific VPCs, use StringEquals to check the value of
the lambda:VpcIds condition. The following example denies users access to vpc-1
and vpc-2.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceOutOfVPC",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringEquals": {
"lambda:VpcIds": ["vpc-1", "vpc-2"]
}
}
}
To deny users access to specific subnets, use StringEquals to check the value of
the lambda:SubnetIds condition. The following example denies users access to
subnet-1 and subnet-2.
{
"Sid": "EnforceOutOfSubnet",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"lambda:SubnetIds": ["subnet-1", "subnet-2"]
}
}
}
To deny users access to specific security groups, use StringEquals to check the
value of the lambda:SecurityGroupIds condition. The following example denies
users access to sg-1 and sg-2.
{
"Sid": "EnforceOutOfSecurityGroups",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"lambda:SecurityGroupIds": ["sg-1", "sg-2"]
}
}
}
]
}
ALLOW USERS TO CREATE AND UPDATE FUNCTIONS WITH SPECIFIC VPC SETTINGS
To allow users to access specific VPCs, use StringEquals to check the value of
the lambda:VpcIds condition. The following example allows users to access vpc-1
and vpc-2.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceStayInSpecificVpc",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"lambda:VpcIds": ["vpc-1", "vpc-2"]
}
}
}
To allow users to access specific subnets, use StringEquals to check the value
of the lambda:SubnetIds condition. The following example allows users to access
subnet-1 and subnet-2.
{
"Sid": "EnforceStayInSpecificSubnets",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"lambda:SubnetIds": ["subnet-1", "subnet-2"]
}
}
}
To allow users to access specific security groups, use StringEquals to check the
value of the lambda:SecurityGroupIds condition. The following example allows
users to access sg-1 and sg-2.
{
"Sid": "EnforceStayInSpecificSecurityGroup",
"Action": [
"lambda:CreateFunction",
"lambda:UpdateFunctionConfiguration"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"lambda:SecurityGroupIds": ["sg-1", "sg-2"]
}
}
}
]
}
INTERNET AND SERVICE ACCESS FOR VPC-CONNECTED FUNCTIONS
By default, Lambda runs your functions in a secure VPC with access to AWS
services and the internet. Lambda owns this VPC, which isn't connected to your
account's default VPC. When you connect a function to a VPC in your account, the
function can't access the internet unless your VPC provides access.
Note
Several AWS services offer VPC endpoints. You can use VPC endpoints to connect
to AWS services from within a VPC without internet access.
Internet access from a private subnet requires network address translation
(NAT). To give your function access to the internet, route outbound traffic to a
NAT gateway in a public subnet. The NAT gateway has a public IP address and can
connect to the internet through the VPC's internet gateway. For more
information, see How do I give internet access to my Lambda function in a VPC?
VPC TUTORIALS
In the following tutorials, you connect a Lambda function to resources in your
VPC.
* Tutorial: Configuring a Lambda function to access Amazon RDS in an Amazon VPC
* Tutorial: Configuring a Lambda function to access Amazon ElastiCache in an
Amazon VPC
SAMPLE VPC CONFIGURATIONS
You can use the following sample AWS CloudFormation templates to create VPC
configurations to use with Lambda functions. There are two templates available
in this guide's GitHub repository:
* vpc-private.yaml – A VPC with two private subnets and VPC endpoints for
Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB. Use this
template to create a VPC for functions that don't need internet access. This
configuration supports use of Amazon S3 and DynamoDB with the AWS SDKs, and
access to database resources in the same VPC over a local network connection.
* vpc-privatepublic.yaml – A VPC with two private subnets, VPC endpoints, a
public subnet with a NAT gateway, and an internet gateway. Internet-bound
traffic from functions in the private subnets is routed to the NAT gateway
using a route table.
To create a VPC using a template, on the AWS CloudFormation console Stacks page,
choose Create stack, and then follow the instructions in the Create stack
wizard.
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thanks for your vote. To provide details, send feedback.
This page is helpful.
Thanks for your vote. To provide details, send feedback.
This page is not helpful.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Concurrency
Interface VPC endpoints
Did this page help you?
Yes No
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Feedback
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback
Provide feedback
Edit this page on GitHub
Previous topic: Concurrency
Next topic: Interface VPC endpoints
Need help?
* Try the forums
* Connect with an AWS IQ expert
Privacy
Site terms
Cookie preferences
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Feedback
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback
On this page
* Execution role and user permissions
* Configuring VPC access (console)
* Configuring VPC access (API)
* Using IAM condition keys for VPC settings
* Internet and service access for VPC-connected functions
* VPC tutorials
* Sample VPC configurations