Designing Secure Microservices Architectures in AWS – Microsoft AWS

Networking

Networking is a complex but crucial aspect of Lambda function configuration. Whether you stick with the default settings or opt for a VPC, understanding the right networking options and their implications is essential for both security and performance.

Default configuration

By default, Lambda functions are not launched within a VPC and can access the internet without traffic filtering, as well as other AWS services, via their public endpoints. Having limited network control is typical for a serverless service. While this setup is sufficient for simple, stateless functions, it may not meet the security or functional requirements for more complex applications. Following are the reasons why:

• Lack of network isolation: In the default configuration, Lambda functions do not have the network isolation that a VPC provides. This lack of isolation can be a security risk for applications that handle sensitive data or require strict compliance with regulatory standards such as HIPAA or GDPR.
• Limited network access control: Without a VPC, you miss out on the granular control over network traffic that VPC settings provide. This includes security features such as network access control lists (NACLs) and security groups, which allow you to define inbound and outbound rules at both the subnet and the elastic network interface (ENI) levels.
• No private access to internal resources: Serverless services such as Lambda often need to interact with databases, cache stores, or other services that cannot work without VPC attachment. The default Lambda configuration doesn’t provide a straightforward way to privately access these internal resources.
• Inability to implement advanced networking: Features such as VPC peering, VPN connections, and transit gateways are not available in the default configuration. These features can be essential for complex applications that require secure and efficient communication with other VPCs or external networks.
• No support for VPC endpoints: In a VPC, you can create VPC endpoints to privately connect your VPC to supported AWS services. This is a crucial feature for enhancing security and reducing data transfer costs, which is not available in the default Lambda configuration.
• Limited monitoring and logging: While AWS provides some level of monitoring for Lambda, integrating with a VPC allows you to leverage VPC flow logs for more detailed monitoring and auditing of the network traffic.
• Operational complexity: As your application grows, you may find that you need to migrate your Lambda functions into a VPC to meet new requirements. This migration can be operationally complex and time-consuming if not planned originally.