aws · keetonian · Aug 20, 2018 · Aug 16, 2018 · Aug 16, 2018 · Aug 16, 2018
@@ -0,0 +1,55 @@
+
+# Lambda function with VPC Access
+
+This example shows you how to create a Lambda function in a VPC with the appropriate permissions using SAM. It primarily aims to demonstrate Cloudformation parameters as well as a simplified configuration made possible with SAM Policies, therefore it'll not utilise API Gateway or any other Event source and as a result only the account owner can invoke it.
+
+It is important to remember that VPC-enabled functions need NAT in order to access any public IP address (if needed) and therefore should be in a private subnet with VPC NAT Gateway and not VPC Internet Gateway.
+
+## Running the example
+
+Deploy the example into your account:
+
+```bash
+# Replace YOUR_S3_ARTIFACTS_BUCKET
+aws cloudformation package --template-file template.yaml --output-template-file template.packaged.yaml --s3-bucket YOUR_S3_ARTIFACTS_BUCKET
+
+# Replace YOUR_SECURITY_GROUP_1 and YOUR_SECURITY_GROUP_2
+# Replace YOUR_SUBNET_1 and YOUR_SUBNET_2
+## They must belong to the same VPC
+aws cloudformation deploy \
+    --template-file template.packaged.yaml \
+    --stack-name sam-example-hello-vpc \
+    --capabilities CAPABILITY_IAM \
+    --parameter-overrides SecurityGroupIds="YOUR_SECURITY_GROUP_1,YOUR_SECURITY_GROUP_2" VpcSubnetIds="YOUR_SUBNET_1,YOUR_SUBNET_2"
+```
+
+Invoke the Lambda function using Lambda Invoke API via AWS CLI:
+
+```bash
+hello_function_vpc=$(aws cloudformation describe-stacks \
+    --stack-name hello-vpc-sample \
+    --query 'Stacks[].Outputs[?OutputKey==`HelloWorldFunction`].OutputValue' \
+    --output text)
+
+aws lambda invoke --function-name $hello_function_vpc result.txt
+```
+
+If successful, you should see a similar output and the function return under ``result.txt``:
+
+```javascript
+{
+    "StatusCode": 200,
+    "ExecutedVersion": "$LATEST"
+}
+```
+```bash
+cat result.txt
+
+"Hello world!"
+```
+
+
+## Additional resources
+
+- https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
+- https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/
@@ -0,0 +1 @@
+exports.handler = async () => 'Hello world!'
@@ -0,0 +1,34 @@
+AWSTemplateFormatVersion : '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: A hello world function with VPC Access.
+
+
+Parameters: 
+  SecurityGroupIds: 
+    Type: List<AWS::EC2::SecurityGroup::Id>
+    Description: Security Group IDs that Lambda will use
+  VpcSubnetIds: 
+    Type: List<AWS::EC2::Subnet::Id>
+    Description: VPC Subnet IDs that Lambda will use (min 2 for HA)
+
+
+Resources:
+  HelloWorldFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      Handler: index.handler
+      Runtime: nodejs8.10
+      CodeUri: src/
+      Policies:
+        - VPCAccessPolicy: {} 
+        # This policy gives permission for Lambdas to create/manage ENIs
+        # SAM Policy templates you can use: https://github.com/awslabs/serverless-application-model/blob/develop/examples/2016-10-31/policy_templates/all_policy_templates.yaml
+      VpcConfig:
+        SecurityGroupIds: !Ref SecurityGroupIds
+        SubnetIds: !Ref VpcSubnetIds
+
+Outputs:
+
+    HelloWorldFunction:
+      Description: "Hello World Lambda Function ARN"
+      Value: !GetAtt HelloWorldFunction.Arn