1
00:00:00,500 --> 00:00:03,440
‫Okay, so let's practice Lambda in VPC.

2
00:00:03,440 --> 00:00:06,470
‫So we'll author a Lambda function from scratch.

3
00:00:06,470 --> 00:00:10,870
‫Call it Lambda VPC, runtime being Python 3.8

4
00:00:10,870 --> 00:00:13,330
‫and create this function.

5
00:00:13,330 --> 00:00:16,350
‫Also, let's go into the EC2 console

6
00:00:16,350 --> 00:00:18,290
‫and we're going to create a security group

7
00:00:18,290 --> 00:00:19,330
‫for our Lambda functions.

8
00:00:19,330 --> 00:00:22,480
‫So I will go into the security groups UI.

9
00:00:22,480 --> 00:00:24,100
‫Create a new security group,

10
00:00:24,100 --> 00:00:26,260
‫and I'll call this one Lambda SG

11
00:00:27,500 --> 00:00:30,010
‫and we'll attach it to the VPC we have.

12
00:00:30,010 --> 00:00:32,560
‫We don't need any inbound rules and outbound rules.

13
00:00:32,560 --> 00:00:36,830
‫The idea is just to show you, SG for Lambda,

14
00:00:36,830 --> 00:00:38,300
‫the idea is just to have a security group

15
00:00:38,300 --> 00:00:39,800
‫to attach your Lambda function.

16
00:00:39,800 --> 00:00:41,903
‫Once that is deployed in our VPC.

17
00:00:42,760 --> 00:00:44,980
‫Okay. So back into our Lambda function.

18
00:00:44,980 --> 00:00:47,210
‫Now let's go into the configuration

19
00:00:47,210 --> 00:00:49,440
‫and make sure that we can deploy this within our VPC

20
00:00:49,440 --> 00:00:51,400
‫because right now the Lambda function is

21
00:00:51,400 --> 00:00:54,530
‫within the AWS cloud and it has internet access

22
00:00:54,530 --> 00:00:56,490
‫but it doesn't have VPC access.

23
00:00:56,490 --> 00:00:58,310
‫So for this on the configuration,

24
00:00:58,310 --> 00:01:00,260
‫on the left hand side, there is VPC.

25
00:01:00,260 --> 00:01:02,610
‫We can edit this and choose a VPC

26
00:01:02,610 --> 00:01:04,900
‫to attach our Lambda function to.

27
00:01:04,900 --> 00:01:06,180
‫Now, there is a warning sign here,

28
00:01:06,180 --> 00:01:07,850
‫which says that when you connect a function

29
00:01:07,850 --> 00:01:09,070
‫to a VPC in your account,

30
00:01:09,070 --> 00:01:10,420
‫which we are doing right now,

31
00:01:10,420 --> 00:01:12,950
‫it does not have access to the internet

32
00:01:12,950 --> 00:01:16,980
‫unless you provide your VPC access

33
00:01:16,980 --> 00:01:18,520
‫which means that it needs to be

34
00:01:18,520 --> 00:01:20,770
‫in a private subnets and you need to route

35
00:01:20,770 --> 00:01:24,060
‫the outbound traffic to that gateway in a public subnet.

36
00:01:24,060 --> 00:01:25,750
‫This is the only way of doing it.

37
00:01:25,750 --> 00:01:28,560
‫Even if right now we publish our Lambda function

38
00:01:28,560 --> 00:01:30,350
‫in three subnets, okay?

39
00:01:30,350 --> 00:01:31,560
‫And these are public subnets

40
00:01:31,560 --> 00:01:34,060
‫because they have access to the internet, as we know,

41
00:01:34,060 --> 00:01:35,850
‫The Lambda function can still not have access

42
00:01:35,850 --> 00:01:36,750
‫to the internet.

43
00:01:36,750 --> 00:01:39,710
‫It needs instead to be published, deployed

44
00:01:39,710 --> 00:01:43,190
‫into a private subnets and have a NAT gateway

45
00:01:43,190 --> 00:01:46,610
‫or NAT instance in a public subnets to route traffic to.

46
00:01:46,610 --> 00:01:47,443
‫So this is fine now,

47
00:01:47,443 --> 00:01:49,130
‫because we're not going to access the internet

48
00:01:49,130 --> 00:01:50,390
‫using a Lambda function.

49
00:01:50,390 --> 00:01:51,750
‫And when you deploy a Lambda function

50
00:01:51,750 --> 00:01:54,980
‫within the VPC usually is to do some local operations

51
00:01:54,980 --> 00:01:57,240
‫for example, on your RDS database

52
00:01:57,240 --> 00:01:59,060
‫or your elastic cache cluster.

53
00:01:59,060 --> 00:02:01,570
‫Okay. So in terms of security group

54
00:02:01,570 --> 00:02:04,100
‫then let's attach the Lambdas SG security group

55
00:02:04,100 --> 00:02:05,290
‫we have from before

56
00:02:05,290 --> 00:02:07,340
‫and the inbound rules and the outbound rules

57
00:02:07,340 --> 00:02:09,700
‫would be helping in terms of defining access

58
00:02:09,700 --> 00:02:11,290
‫to other services.

59
00:02:11,290 --> 00:02:12,810
‫Actually, the inbound rules would be helpless

60
00:02:12,810 --> 00:02:14,640
‫but the outbound rules may be helpful.

61
00:02:14,640 --> 00:02:16,670
‫Okay. So let's click on save.

62
00:02:16,670 --> 00:02:18,620
‫And now we can see that this doesn't work

63
00:02:18,620 --> 00:02:21,200
‫because the Lambda function does not have the permissions

64
00:02:21,200 --> 00:02:24,140
‫to call the create network interface on EC2.

65
00:02:24,140 --> 00:02:27,370
‫Yes, because when you create a Lambda function in a VPC

66
00:02:27,370 --> 00:02:30,810
‫then to be able to run, it needs to have network interfaces

67
00:02:30,810 --> 00:02:33,610
‫and now they belong to you and to your VPC.

68
00:02:33,610 --> 00:02:35,650
‫So we need to provide Lambda function

69
00:02:35,650 --> 00:02:38,140
‫with enough permission to do so.

70
00:02:38,140 --> 00:02:41,790
‫So let's open a new tab, configuration, permissions

71
00:02:41,790 --> 00:02:45,140
‫and click on the role and the permission roles.

72
00:02:45,140 --> 00:02:48,490
‫So let's attach a policy to our role

73
00:02:48,490 --> 00:02:51,890
‫and I will just type in Lambda in here.

74
00:02:51,890 --> 00:02:56,010
‫And in there we have a Lambda ENI management access.

75
00:02:56,010 --> 00:02:59,570
‫So this one and we'll attach this policy.

76
00:02:59,570 --> 00:03:02,700
‫And so if we look into the lambda ENI management access

77
00:03:02,700 --> 00:03:04,700
‫this has all the necessary permission,

78
00:03:04,700 --> 00:03:07,070
‫such as create network interface,

79
00:03:07,070 --> 00:03:09,710
‫delete network interface, describing, and so on,

80
00:03:09,710 --> 00:03:11,910
‫to be able to give our Lambda function

81
00:03:11,910 --> 00:03:14,950
‫the rights to exist within our VPC.

82
00:03:14,950 --> 00:03:16,150
‫So this is good to go.

83
00:03:16,150 --> 00:03:17,350
‫Now let's click on save.

84
00:03:18,640 --> 00:03:23,200
‫And our Lambda function is now deployed within our VPC.

85
00:03:23,200 --> 00:03:24,033
‫So for this,

86
00:03:24,033 --> 00:03:26,870
‫we just need to run the Lambda function and test it out.

87
00:03:26,870 --> 00:03:29,430
‫So by the way, when you create a Lambda function in the VPC

88
00:03:29,430 --> 00:03:31,100
‫it can take a little bit of time

89
00:03:31,100 --> 00:03:33,090
‫to be updating and starting at first.

90
00:03:33,090 --> 00:03:36,450
‫This is because a few things that should be set up by AWS

91
00:03:36,450 --> 00:03:38,980
‫but then the performance of your Lambda function

92
00:03:38,980 --> 00:03:40,610
‫should be okay.

93
00:03:40,610 --> 00:03:43,730
‫So let's just wait for the other to be done.

94
00:03:43,730 --> 00:03:45,200
‫So this took about three minutes

95
00:03:45,200 --> 00:03:47,950
‫but my Lambda function is now updated.

96
00:03:47,950 --> 00:03:49,860
‫And so I can just test it.

97
00:03:49,860 --> 00:03:52,760
‫So let's go to this Lambda function and click on tests.

98
00:03:52,760 --> 00:03:54,480
‫We'll create a sample events

99
00:03:55,390 --> 00:03:59,480
‫and then click on creates, now test our function.

100
00:03:59,480 --> 00:04:01,390
‫So the function has succeeded.

101
00:04:01,390 --> 00:04:02,800
‫But the more interesting part is that

102
00:04:02,800 --> 00:04:05,620
‫if we go into the management console of EC2

103
00:04:05,620 --> 00:04:08,240
‫and we go under network interfaces,

104
00:04:08,240 --> 00:04:10,660
‫as we can see here three network interfaces

105
00:04:10,660 --> 00:04:12,020
‫have been created

106
00:04:12,020 --> 00:04:14,880
‫and the disc respond to the network interfaces

107
00:04:14,880 --> 00:04:17,070
‫of my Lambda function within my VPC.

108
00:04:17,070 --> 00:04:20,480
‫So these network interfaces each in one different AC.

109
00:04:20,480 --> 00:04:22,040
‫So each in one different subnets

110
00:04:22,040 --> 00:04:23,930
‫is what allows my Lambda function

111
00:04:23,930 --> 00:04:25,620
‫to communicate with our VPC.

112
00:04:25,620 --> 00:04:28,930
‫So you can imagine having these ENIs and the security group,

113
00:04:28,930 --> 00:04:32,050
‫having the necessary rules to access an RDS database

114
00:04:32,050 --> 00:04:34,460
‫or an elastic cache cluster, for example.

115
00:04:34,460 --> 00:04:36,910
‫So fairly simple but that's it for this demo.

116
00:04:36,910 --> 00:04:37,743
‫I hope you liked it.

117
00:04:37,743 --> 00:04:39,650
‫And I will see you in the next lecture.