2

I have a simply maked it with serverless endpoint for check some token. Lets say the path is "/checktoken". And want to access to it only with my Ip address, thats why connect my Lambda with VPC(2 private subnets and security group).

But problem is even I maked security group in/outbound rules as https with my IP address, I can request to the endpoint with different IP address.

I have used AWS = CloudFront + Route53 for DNS, Lambda + Api Gateway for endpoint.

I made a whitelist IP with resource policy in Api gateway which works, but its not the solution I want.

The required solution is vpc's security group should allow request only from whitelisted IP in its rule.

Improve this question

3 Answers 3

Reset to default
11
Answer recommended by AWS Collective

Adding the Lambda to a VPC will not direct traffic to the Lambda through your VPC.

In fact The Lambda is invoked through the Lambda API Service Endpoint, therefore inbound evaluation rules will have no effect on it at all. The purpose of a Lambda residing in a VPC is to access VPC resources.

The technical implementation is that an ENI is created in your VPC, that connects to the Lambda function in a shared AWS VPC. The Lambda is able to route out of its shared VPC to connect to resources.

When you configure your Lambda function to connect to your own VPC, it creates an elastic network interface in your VPC and then does a cross-account attachment. These network interfaces allow network access from your Lambda functions to your private resources. These Lambda functions continue to run inside of the Lambda service’s VPC and can now only access resources over the network through your VPC.

You will need to add these IP whitelists at either the CloudFront level through the use of a AWS WAF (using an IPSet), or through the API Gateway as a WAF or Policy (as you mentioned above).

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Thanks a lot, seem I did not understand how VPC works with lambda before. @Chris Williams
That's fine, learning is part of the journey. Let me know if you have any questions :)
and I have one more question, this part api wants to add my lambda ip to their whitelist and response only to my ip, If I connect my lambda function with vpc elastic IP and request does it request with elastic IP?
No problem glad I could help ;)
Security groups can control outbound traffic too @mygitrepo ;). They can also be used as logical references by other security groups, so your database could have an inbound rule in its security group where the source is a security group ID :)
|
7

thats why connect my Lambda with VPC(2private subnets and security group)

Placing lambda function in a VPC and giving it a security group does not have effect on whether the API gateway can invoke it or not.

API gateway does not use elastic network interface (ENI) of the lambda in the VPC to invoke it. Its done using Lambda service endpoint.

You can use WAF to control access to your CloudFront distribution:

Improve this answer

3 Comments

thanks @Marcin , probably will use API gateway resources for ip whitelist
@muzafako No problem. What do you mean that you wan to use API gateway for whitelisting? You can't specify any IPs in the API gateway. This can be done by associating WAF with API gateway.
I meant, will add allowed Ip address in "Source VPC Whitelist" in Api gateway resource policy,
0

Try Black / White listing IPAdresses:

https://www.npmjs.com/package/serverless-secure

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.