I'm developing a mobile app that utilizes API Gateway and Lambda functions, with most components hosted in a VPC. However, I found that I need to delete user accounts from Cognito, which, as I understand, requires a NAT gateway for APIs to be accessed from a VPC. Given that a NAT gateway is quite expensive—around $400 per year—for a non-essential function that will only be invoked occasionally, I've come up with a workaround. My plan is to set up a 'delete Cognito user' Lambda function outside of the VPC and have my main delete user Lambda (responsible for handling database deletions) send messages to this external function via an SQS queue. This way, I can avoid the NAT gateway costs. Is this a sensible approach? I understand the external function would only handle minimal data (the user ID) and would only be triggered via the SQS queue. Thanks for any insights!
1 Answer
Yes, that architecture sounds perfectly reasonable! It's a good practice to only keep functions in the VPC that really need access to private resources. Your 'batch-type' functions can definitely live outside the VPC, which is a smart choice since they usually need internet access.
Thanks! Most of my API functions connect to the RDS database, but it's good to know that my batch processes can run outside the VPC.