I'm working on an AWS project and need some advice on the best way to allow my worker Lambda to make outbound requests to a corporate webhook server that's behind a firewall. The setup is as follows: my API Gateway has a custom domain and integrates with a frontend Lambda, which puts job messages into SQS. A second Lambda processes these jobs and needs to send results to the corporate server. While inbound traffic works fine, the outbound request fails because the Lambda doesn't have a fixed public IP. I'm considering two solutions:
1. Place my worker Lambda in a VPC, use a NAT Gateway with an Elastic IP, and give that EIP to the corporate firewall. Can I attach a Route 53 custom domain to the Elastic IP for this purpose?
2. Use an API Gateway HTTP Proxy to forward the request to the webhook server. This way, I can just give them my already-whitelisted API Gateway domain.
Which option do you think is easier to manage, and are there other solutions I should consider?
5 Answers
I'd recommend option 1 too, but consider using something like fck-nat to keep costs down. That way, you can minimize your expenses with the NAT Gateway.
While you can assign a DNS to your NAT IP, it doesn’t help for inbound requests since they won't reach the Lambda. Also, if you’re mostly sending requests to the corporate endpoint only, NAT should suffice. If you’re concerning about bandwidth with AWS services, look into VPC endpoints.
Quick question: why do you have a Lambda in between API Gateway and SQS? You could just connect API Gateway directly to Lambda, which might simplify things.
Check out this resource I found on generating a static outbound IP for your Lambda using a VPC: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/generate-a-static-outbound-ip-address-using-a-lambda-function-amazon-vpc-and-a-serverless-architecture.html. It could help with your setup!
Definitely go with option 1! API Gateway won’t work for outbound requests since it doesn’t have predictable IPs, which your corporate firewall needs to allow the traffic.
If I attach a Route 53 custom domain to the Elastic IP of the NAT Gateway, will the firewall recognize my custom domain as the source of the request? Or is just the IP that's important?