Ref: https://learn.cantrill.io/courses/1820301/lectures/41301392

• Summary:
• Contents:

Public Lambda (Default)

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1600-SERVERLESS_and_APPLICATION_SERVICES/00_LEARNINGAIDS/Lambda-2.png

• 🔧 Lambda runs in the public AWS NW
  • Can access public AWS services (e.g. SQS, DDB…) & public internet
  • Default → Public Lambda used in most cases
    • When it's not enough, Private Lambda can be used
• No requirement for customer VPC NWing
  • 👍 Benefit: offers best performance for Lambda
    • Runs in shared HW & NWing, nothing specific to customer
  • 👎 Con: can NOT access VPC resources, unless those resources are configured for external access
    • Reminder: external access requires assigning public IPs to resources & VPC security controls must allow external access

Private Lambda

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1600-SERVERLESS_and_APPLICATION_SERVICES/00_LEARNINGAIDS/Lambda-3.png

• 🔧 Lambda injects ENIs in your VPC (like AWS Fargate)
  • Lambda configured to run inside a VPC, in a private subnet
• ❗ Lambdas inside a VPC obey all VPC NWing rules as any resources inside the VPC!
  • Access to other VPC resources is free as long as NACLs & SGs allow it
  • Can't access stuff outside the VPC, unless external access for VPC is configured
    • NATGW + IGW can allow access to public internet resources
    • VPCE can be configured to allow private access to S3, DDB…
  • Functions need to be given EC2 NWing permissions via execution role

Private Lambda ENI Injection - Old Way vs New Way

Old Way Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1600-SERVERLESS_and_APPLICATION_SERVICES/00_LEARNINGAIDS/Lambda-3.png

• OLD WAY: a Lambda function injects an ENI within customer VPC
  • Traffic flows between Lambda VPC & customer VPC
  • 👎 Injecting ENI per invocation takes time → adds latency to function execution
  • 👎 Scales poorly → parallel/concurrent executions require additional ENIs → VPC performance affected heavily if lots of invocations

New Way Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1600-SERVERLESS_and_APPLICATION_SERVICES/00_LEARNINGAIDS/Lambda-4.png

• NEW WAY: AWS analyzes all functions running in a region in an account, then builds up a set of unique combinations of SGs & subnets
  • One ENI for every unique combination of SG + subnet → if all functions use the same SG but diff subnets, then we only require one ENI per subnet
  • 👍 Scales much better → solves parallel/concurrent invocation problems! → Many invocations can use fewer/same ENIs
  • 90s initial setup to create ENIs when configuring the Lambda function
    • …but done ONCE! Done when you create function or update NWing config
    • ‼️ 👍 Delay does NOT happen on a per invocation basis! → NO invocation delay