I'm working on designing a web application that will be utilizing the standard Lambda-API Gateway-Amplify setup, with authentication handled via Cognito. Until now, I've only used Lambda functions that are within a VPC, but I've heard that using non-VPC Lambdas could be beneficial due to reasons like reducing cold start issues, lower costs with fewer Elastic Network Interfaces (ENIs), and simplifying setup. However, my Lambda functions need access to some VPC-resident services that I want to keep private, like RDS and OpenSearch. I'm weighing two options: 1. Use VPC-only Lambdas and deal with potential costs, or 2. Go with public Lambdas and use IAM authentication to connect to the private resources, possibly through RDS proxy and IAM for OpenSearch. If I choose option 2, I'm concerned about security, service limitations, and the ease of migrating to VPC later. What do you think? Am I missing anything?
4 Answers
That’s a tricky one! Switching a function to a VPC might not inherently boost security, but it gives you more control over networking which you can use to enhance security by managing outbound traffic.
2. Your main restriction would be private resources that are available only within your VPC.
3. It’s generally not that complex to switch. Just ensure your subnets and routes are prepped, and it should be a smooth transition! If you’re on versions and aliases, you can avoid downtime.
1. Using a non-VPC Lambda isn’t automatically less secure. It’s about the trade-off: you get fewer network controls but you can have strong identity-based controls like IAM.
2. You’ll only be limited to services that support IAM auth, but RDS proxy and OpenSearch can handle it. Anything else on-prem or self-hosted would be a no-go.
3. Associating Lambdas to a VPC later isn’t super hard. Just be ready to handle security group configurations and network setups, but there can be downtime during the transition.
Cold start issues with VPC Lambdas aren’t what they used to be. Nowadays, you shouldn't worry too much about it; the performance has improved significantly.
Some might argue that these concerns are outdated!
Yeah, the ENI issues from the past aren't a problem anymore either. Each Lambda doesn’t grab a dedicated ENI like before, so you won’t see the same bottlenecks. Things are a lot better now, so don't let old info steer you wrong!
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically