I'm new to AWS and struggling to understand how they've laid out their components.
I'm trying to make a simple "hello world" API via lambda and control access to it. I made the lambda (no VPC) and hooked it up to an API GW, and now I have a publicly-accessible lambda. I didn't understand why the lambda was callable without being in a VPC, but I finally stumbled upon this explanation in the docs: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-internet
Cool.
So, now I'm trying to lock down access. I thought that meant adding both of these components to a VPC. So I created a VPC & subnets (no IGW, NOT publicly accessible), and put the lambda in there. Before going any further (like updating the API GW), I tested that change, and I found the lambda is still publicly accessible! Why?
The API GW doesn't have access to this VPC, and in any case, this VPC doesn't have internet access. I don't see how this lambda is publicly accessible. What's going on here?
CodePudding user response:
Check for Internet Gateway, Nat gateway. Check for the actual VPC the LAMDA is connected to, sometimes having multiple can be confusing and lastly also check the VPC End point
CodePudding user response:
API Gateway allows you to create private endpoints as well as public ones. It sounds like you want a private endpoint.