How do I give internet access to my Lambda function in a VPC?

Last updated: 2019-07-22

I want to give internet access to my Amazon Virtual Private Cloud (Amazon VPC)-enabled AWS Lambda function. How can I do this?

Short Description

You might want your Lambda function to access private VPC resources (for example, a Relational Database Service (Amazon RDS) DB instance or Amazon Elastic Compute Cloud (Amazon EC2) instance). To configure this, you must associate the function with one or more private subnets in a VPC. To grant your function internet access, the associated VPC must have a NAT gateway (or NAT instance) in a public subnet.

Whether a subnet is private or public depends on its route table. A public subnet has a route pointing to an internet gateway, and a private subnet does not.

Resolution

If you're using an existing VPC, start from Create your VPC components to create a public subnet with a NAT gateway and one or more private subnets. If your existing VPC already has a public subnet with a NAT gateway and one or more private subnets, skip ahead to Create a Lambda execution role for Amazon VPC.

If you want to create a new VPC for this setup, use the VPC wizard, and then choose VPC with Public and Private Subnets. (In the Amazon VPC console, your subnets are named "Public subnet" and "Private subnet" accordingly.) Then, skip ahead to Create a Lambda execution role for Amazon VPC.

Create your VPC components

  1. Create two or more new subnets in your VPC. During creation, for Name tag, add a name to help you identify which subnet is public and which subnets are private. For example, name one Public Subnet and the other Private Lambda (or Private Lambda 1, Private Lambda 2, and so on, for multiple private subnets).
    Note: It's a best practice to create multiple private subnets across different Availability Zones for redundancy and so that Lambda can ensure high availability for your function.
  2. Create an internet gateway and attach it to your VPC.
  3. Create a NAT gateway. During creation, for Subnet, choose the subnet that you want to make public. (For example, Public Subnet if you named it earlier.)

Create and modify route tables for your subnets

  1. In the Amazon VPC console, create two custom route tables for your VPC.
    Tip: During creation, for Name tag, add a name to help you identify which subnet the route table is associated with. For example, name one Public Subnet and the other Private Lambda.
  2. Associate the public subnet route table (Public Subnet) with the subnet that you want to make public.
  3. Add a new route to this route table. Specify the following:
    For Destination, enter 0.0.0.0/0.
    For Target, choose Internet Gateway, and then choose the ID (igw-…) of the internet gateway that you created.
    Choose Save routes. The associated subnet is now a public subnet.
  4. Associate the other route table (Private Lambda) with the private subnets.
  5. Add a new route to this route table. Specify the following:
    For Destination, enter 0.0.0.0/0.
    For Target, choose NAT Gateway, and then choose the ID (nat-…) of the NAT gateway that you created. (If you're using a NAT instance, choose Network Interface instead.)
    Choose Save routes.

Create a Lambda execution role for Amazon VPC

  1. In the AWS Identity and Access Management (IAM) console, in the left navigation pane, choose Roles.
  2. On the Roles pane, choose Create role.
  3. On the Create role page, do the following:
    For Select type of trusted entity, choose AWS service.
    For Choose the service that will use this role, choose Lambda.
    Choose Next: Permissions.
  4. Under Attach permissions policies, search for AWSLambdaVPCAccessExecutionRole. Select the policy with that name, and then choose Next: Tags.
  5. Optionally add tags if you prefer, and then choose Next: Review.
  6. Under Review, do the following:
    For Role name, enter a name for this Lambda execution role. For example, lambda_vpc_basic_execution.
    (Optional) For Role description, edit the description to your preferences.
    Choose Create role.

For more information, see AWS Lambda Execution Role.

Configure your Lambda function

  1. In the Lambda console, in the left navigation pane, choose Functions.
  2. Choose the name of your function you want to connect to your VPC.
  3. On the Configuration pane, under Execution role, for Existing role, choose the IAM execution role that you created (lambda_vpc_basic_execution).
  4. On the Configuration pane, under Network, do the following:
    For Virtual Private Cloud (VPC), choose your VPC.
    For Subnets, select the private subnets that you created. Identify them by their subnet IDs (and names, if you named them).
    For Security groups, choose a security group.
    Note: The default security group allows all outbound internet traffic and is sufficient for most use cases. For more information, see Security Groups for Your VPC.
  5. Choose Save.