DEV Community

loading...
Cover image for White-List AWS Lambda functions

White-List AWS Lambda functions

kiunakoncepts profile image Kiuna Koncepts ・2 min read

So you have a situation where you need to white-list your Lambda functions. For example, you could have Lambda function that is used to query a Database but due to security concerns, all requests made to the Database need to come from IP address that have been whitelisted.

The issue here is that by default, Lambda functions run in an AWS managed VPC. Although request may appear to be coming from certain range of IP addresses, the IP address are not static — meaning that the IP address that the requests are sent from will not be the same. So attempting to white-list may prove to be anywhere between difficult and impossible.

However, there is a workaround for this.

With AWS Lambda, you have the option of place your function into a custom VPC. By doing this, you can then attach a NAT (Network Address Translator) Gateway, so that all requests coming from your Lambda functions will go through the NAT Gateway. This NAT will have a fixed IP address that you can use for white-listing.

Placing your Lambda into a custom VPC

If you are unfamiliar with how to place your Lambda into a custom VPC, below are the steps to do so:

  1. Setup a new VPC in your AWS account, or use an existing VPC if you already have one.
  2. Setup your VPC components — these include:
    • At least 3 subnets, 1 will be “public” and two will be “private”. (You will place you Lambda in the private subnets, and NAT in the public subnet.)
    • Your NAT Gateway
    • Internet Gateway
  3. Create two route tables, one will be for your public subnet, and the other will be for your private subnets.
  4. Configure the Public Route Table by first associating the public route table with the public subnet. Then create a new route with the following information:
    • Destination, should be “0.0.0.0/0”
    • For Target choose Internet Gateway, and then choose the ID (igw-123abc456def) of the internet gateway that you created. Choose Save routes. The associated subnet is now a public subnet.
  5. Configure the Private Route Table by associating it with the private subnet. Then create a new route with the following information:
    • Destination, should be “0.0.0.0/0”
    • For Target choose NAT Gateway, and then choose the ID (nat-123abc456def) of the NAT gateway that you created. Choose Save routes. The associated subnet is now a private subnet.
  6. Create a new Elastic IP address, and attach it to the NAT Gateway and Public subnets you have created.

Once you have completed setting up your VPC, your Lambda function can now be setup inside your custom VPC to make a request to the Internet, and make use of the static IP at the NAT gateway.

To make sure everything is working as it should, you can do a quick test by making a request in your function code to www.google.com.

If the request is successful then we know the request is being successfully using the NAT Gateway and the Elastic IP address that we created. This is the IP address that you will place into your white-list.

Discussion (0)

pic
Editor guide