I have created a Lambda function from scratch in the AWS console using these initialisation values:
- From scratch .NET
- Function URL enabled
- CORS enabled
NONE
auth selected- Private subnet of VPC
This produced an IAM role which contained:
- AWSLambdaVPCAccessExecutionRole
- AWSLambdaBasicExecutionRole
The VPC has two public and two private subnets, however all subnets are only associated with a local route (10.0.0.0/16
). Looking in the Subnet associations
tab of the route table actually shows no explicit associations and the only implicit association is the local route table.
Why can I still invoke the Function URL of the Lambda?
In a previous post, I found it nearly impossible to make the Lambda function URL invokable.
I understand that the Function URL is always outside the VPC, but does this mean that the function can essentially be made invisible to the world other than it's Function URL?
CodePudding user response:
Why can I still invoke the Function URL of the Lambda?
Because this functionality is, like you said, outside of your VPC. Think of the function URL functionality as a standalone, serverless service akin to an API gateway (but just for lambda functions).
Whether your VPC has internet connectivity or not is irrelevant. When you create a lambda function, network interfaces are created however those are not leveraged by the function URL functionality.
but does this mean that the function can essentially be made invisible to the world other than it's Function URL?
Yes, that can be the case.