AWS_EN

Lambda Function URL by CFN – Auth Type: NONE

スポンサーリンク
Lambda Function URL by CloudFormation - Auth Type: NONE AWS_EN
スポンサーリンク
スポンサーリンク

Creating Lambda Function URL by CloudFormation (NONE version)

Lambda Function URL was released on April 22, 2022.

AWS Lambda is announcing Lambda Function URLs, a new feature that makes it easier to invoke functions through an HTTPS endpoint as a built-in capability of the AWS Lambda service.

AWS Lambda Function URLs: built-in HTTPS endpoints for your Lambda functions

In this case, we will use CloudFormation to create Function URLs for Lambda inside and outside the VPC, with an authentication method of NONE.

Environment

Diagram of Lambda Function URL by CloudFormation - Auth Type: NONE

Create one Lambda function each inside and outside the VPC.
Create a Function URL for each function and access it over the Internet.
The runtime environment for Lambda functions is Python 3.8.

CloudFormation template files

The above configuration is built using CloudFormation.
The CloudFormation template is located at the following URL

awstut-fa/038 at main · awstut-an-r/awstut-fa
Contribute to awstut-an-r/awstut-fa development by creating an account on GitHub.

Explanation of key points of the template files

Lambda Function

First, check the main body of the Lambda function.

Resources: Function1: Type: AWS::Lambda::Function Properties: Code: ZipFile: | def lambda_handler(event, context): return 'hello, from function 1.' FunctionName: !Sub "${Prefix}-function-01" Handler: !Ref Handler Runtime: !Ref Runtime Role: !GetAtt FunctionRole1.Arn Function2: Type: AWS::Lambda::Function Properties: Code: ZipFile: | def lambda_handler(event, context): return 'hello, from function 2.' FunctionName: !Sub "${Prefix}-function-02" Handler: !Ref Handler Runtime: !Ref Runtime Role: !GetAtt FunctionRole2.Arn VpcConfig: SecurityGroupIds: - !Ref FunctionSecurityGroup SubnetIds: - !Ref FunctionSubnet
Code language: YAML (yaml)

This is the same as a normal Lambda function.
The code to be executed is expressed inline.
For more information, please refer to the following page

This is a Lambda function to be installed in a VPC, but the security group to be applied is the one that permits inbound HTTPS (443/tcp) communication.

Resources: FunctionSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub "${Prefix}-FunctionSecurityGroup" GroupDescription: Allow HTTPS. VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: !Ref HTTPSPort ToPort: !Ref HTTPSPort CidrIp: 0.0.0.0/0
Code language: YAML (yaml)

This is a point about the subnet and VPC where the Lambda will be installed, but no Internet gateway or routing configuration to that gateway is required.

Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VPCCidrBlock FunctionSubnet: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref CidrIp VpcId: !Ref VPC AvailabilityZone: !Sub "${AWS::Region}${AvailabilityZone}"
Code language: YAML (yaml)

Lambda Function URL

Check the HTTPS endpoint (Fnction URL) that calls the function.

Resources: FunctionUrl1: Type: AWS::Lambda::Url Properties: AuthType: NONE TargetFunctionArn: !GetAtt Function1.Arn FunctionUrl2: Type: AWS::Lambda::Url Properties: AuthType: NONE TargetFunctionArn: !GetAtt Function2.Arn
Code language: YAML (yaml)

Create an endpoint by setting the Type property to AWS::Lambda::Url.
Set the AuthType property to “NONE” since IAM is not used for the authentication method this time.

Permission to invoke Lambda from Function URL

Currently, it is not possible to invoke a Lambda function over the Internet from a Function URL.
This is because the permission to invoke Lambda functions has not been set.
To solve this problem, create a Permission.

Resources: FunctionUrlPermission1: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunctionUrl FunctionName: !GetAtt Function1.Arn FunctionUrlAuthType: NONE Principal: "*" FunctionUrlPermission2: Type: AWS::Lambda::Permission Properties: Action: lambda:InvokeFunctionUrl FunctionName: !GetAtt Function2.Arn FunctionUrlAuthType: NONE Principal: "*"
Code language: YAML (yaml)

The point is to set “lambda:InvokeFunctionUrl” to the Action property.
This will authorize the user to invoke the Lambda function via Function URL.

Architecting

Using CloudFormation, we will build this environment and check the actual behavior.

Create CloudFormation stacks and check resources in stacks

Create a CloudFormation stack.
For information on how to create stacks and check each stack, please refer to the following page

After checking the resources in each stack, information on the main resources created this time is as follows

  • Function URL for Lambda function 1: https://4qbav7r5hywdr7clbyayo4n7gm0exogq.lambda-url.ap-northeast-1.on.aws/
  • Function URL for Lambda Function 2: https://f4hcdqzqcllahzh7gcc7datqdm0kvahd.lambda-url.ap-northeast-1.on.aws/

The Function URL for each function is also confirmed from the AWS Management Console.

Lambda Function URL 2
Lambda Function URL 1

The Function URL has been successfully created.

Confirmation of Operation

Now that everything is ready, access each Function URL.
First, Function 1.

Result of Lambda Function URL 2.

The response is returned normally.
As you can see, we were able to invoke a Lambda function outside the VPC through the Function URL.

Next is Function2.

Result of Lambda Function URL 1.

This one also returned a normal response.
In this way, the Lambda function inside the VPC could be invoked through the Function URL.

Summary

A new function of Lambda function, Function URL, was created with CloudFormation.
We have confirmed that Lambda functions inside and outside of VPC can be invoked through Function URLs.

タイトルとURLをコピーしました