1
00:00:00,300 --> 00:00:01,133
Now let's talk

2
00:00:01,133 --> 00:00:04,140
about some networking fundamentals for Lambda.

3
00:00:04,140 --> 00:00:06,570
So by default, when you launch your functions

4
00:00:06,570 --> 00:00:08,850
they're launched outside of your own VPC.

5
00:00:08,850 --> 00:00:12,390
They're actually launched in an AWS own VPC.

6
00:00:12,390 --> 00:00:17,250
So you do not have access to resources within your VPC.

7
00:00:17,250 --> 00:00:20,580
So if you launch an RDS database, an ElastiCache Cache,

8
00:00:20,580 --> 00:00:23,130
or an internal load balancer

9
00:00:23,130 --> 00:00:25,830
then your Lambda function will not have access to it.

10
00:00:25,830 --> 00:00:27,780
So this is the default Lambda deployment.

11
00:00:27,780 --> 00:00:30,000
It will work if it needs to access any

12
00:00:30,000 --> 00:00:32,040
public API on the internet.

13
00:00:32,040 --> 00:00:34,110
It will work if it needs to access DynamoDB

14
00:00:34,110 --> 00:00:38,790
because DynamoDB is a public resource on the AWS cloud.

15
00:00:38,790 --> 00:00:41,040
But if you have a private RDS database,

16
00:00:41,040 --> 00:00:43,800
the connectivity will not be working.

17
00:00:43,800 --> 00:00:45,270
You know where this is getting to

18
00:00:45,270 --> 00:00:49,470
we need to actually launch your Lambda function in your VPC.

19
00:00:49,470 --> 00:00:51,120
So this is an option you can do

20
00:00:51,120 --> 00:00:54,180
and you need to specify therefore, your VPC ID,

21
00:00:54,180 --> 00:00:55,620
the subnets you want to launch in,

22
00:00:55,620 --> 00:00:58,920
and attach a security group to your Lambda function.

23
00:00:58,920 --> 00:01:01,770
Then your Lambda will have a elastic network interface

24
00:01:01,770 --> 00:01:05,250
in your subnets, and therefore it will be able to

25
00:01:05,250 --> 00:01:10,230
access your Amazon RDS, for example, running in your VPC.

26
00:01:10,230 --> 00:01:12,900
So this is how we launch a Lambda function

27
00:01:12,900 --> 00:01:14,910
in your private subnets.

28
00:01:14,910 --> 00:01:16,800
And therefore you will have private connectivity

29
00:01:16,800 --> 00:01:20,460
to anything in your VPC, which is good.

30
00:01:20,460 --> 00:01:24,480
So a major use case of Lambda in a VPC

31
00:01:24,480 --> 00:01:27,990
is to use Lambda with the RDS proxy.

32
00:01:27,990 --> 00:01:32,100
So again, we have an RDS database in a private subnet

33
00:01:32,100 --> 00:01:34,230
but we have our Lambda functions

34
00:01:34,230 --> 00:01:36,030
and they access it directly.

35
00:01:36,030 --> 00:01:36,863
But the problem is that

36
00:01:36,863 --> 00:01:39,780
if they access your RDS database directly

37
00:01:39,780 --> 00:01:41,404
it's going to be huge problem,

38
00:01:41,404 --> 00:01:43,890
because if you have many of the functions

39
00:01:43,890 --> 00:01:46,050
appearing and disappearing over time,

40
00:01:46,050 --> 00:01:49,140
then you may have too many open connections

41
00:01:49,140 --> 00:01:51,330
under high load on your RDS database

42
00:01:51,330 --> 00:01:54,000
and it will lead to timeouts and issues.

43
00:01:54,000 --> 00:01:58,260
So instead, what you would do is to launch an RDS proxy

44
00:01:58,260 --> 00:02:02,550
and this proxy was going to pull connection and connect

45
00:02:02,550 --> 00:02:05,910
with less connections into your RDS database instance.

46
00:02:05,910 --> 00:02:08,789
So your Lambda functions now connect to the RDS proxy

47
00:02:08,789 --> 00:02:10,919
which connects to the RDS database instance

48
00:02:10,919 --> 00:02:13,650
and you've solved your architectural problems.

49
00:02:13,650 --> 00:02:17,130
So three benefits of the RDS proxy is that number one

50
00:02:17,130 --> 00:02:18,844
it improves scalability

51
00:02:18,844 --> 00:02:21,870
by pulling and sharing database connections.

52
00:02:21,870 --> 00:02:24,387
Also, in case of a failover,

53
00:02:24,387 --> 00:02:29,190
this will improve the availability by reducing by 66%

54
00:02:29,190 --> 00:02:31,710
the failover time and preserving connections.

55
00:02:31,710 --> 00:02:34,740
This is for RDS and Aurora, of course.

56
00:02:34,740 --> 00:02:37,950
And also if you wanted to enforce IAM authentication

57
00:02:37,950 --> 00:02:40,710
you could enforce it at the RDS proxy level

58
00:02:40,710 --> 00:02:44,580
and store these details in secrets manager.

59
00:02:44,580 --> 00:02:46,950
So for this to work for the Lambda functions

60
00:02:46,950 --> 00:02:49,290
to connect to your RDS proxy,

61
00:02:49,290 --> 00:02:52,530
you need to launch your Lambda functions in your VPC,

62
00:02:52,530 --> 00:02:53,610
if that makes sense,

63
00:02:53,610 --> 00:02:56,760
because your RDS proxy is never publicly accessible.

64
00:02:56,760 --> 00:02:59,091
And therefore, if you launch your Lambda functions publicly

65
00:02:59,091 --> 00:03:01,830
you will have no network connectivity

66
00:03:01,830 --> 00:03:04,470
to your RDS proxy because it is never public.

67
00:03:04,470 --> 00:03:05,730
So if you understand this

68
00:03:05,730 --> 00:03:08,400
you will be able to solve one or two questions at the exam.

69
00:03:08,400 --> 00:03:09,300
Okay, that's it.

70
00:03:09,300 --> 00:03:10,230
I hope you liked it.

71
00:03:10,230 --> 00:03:12,180
And I will see you in the next lecture.