1
00:00:00,040 --> 00:00:02,630
‫Okay, so now let's talk about networking

2
00:00:02,630 --> 00:00:04,310
‫and Lambda functions.

3
00:00:04,310 --> 00:00:06,930
‫So by default, your Lambda functions are launched

4
00:00:06,930 --> 00:00:09,350
‫outside of your own VPC,

5
00:00:09,350 --> 00:00:13,800
‫so it is in another VPC that AWS owns, okay?

6
00:00:13,800 --> 00:00:16,640
‫And therefore, it cannot access resources

7
00:00:16,640 --> 00:00:18,610
‫that belong in your VPC.

8
00:00:18,610 --> 00:00:19,930
‫So what is the point in your VPC?

9
00:00:19,930 --> 00:00:21,690
‫It could be your issue to instances,

10
00:00:21,690 --> 00:00:24,100
‫RDS database, ElastiCache,

11
00:00:24,100 --> 00:00:27,660
‫or an internal elastic load balancer, these kinds of things.

12
00:00:27,660 --> 00:00:28,770
‫So by default, you will learn

13
00:00:28,770 --> 00:00:30,600
‫that Lambda deployments look like this.

14
00:00:30,600 --> 00:00:32,780
‫You have the cloud, your Lambda function,

15
00:00:32,780 --> 00:00:35,620
‫it can access any public websites, okay?

16
00:00:35,620 --> 00:00:38,090
‫We can access external APIs.

17
00:00:38,090 --> 00:00:41,750
‫And also we can access other services such as DynamoDB.

18
00:00:41,750 --> 00:00:45,300
‫But if we have our own VPC and our own private subnet

19
00:00:45,300 --> 00:00:47,890
‫and we have a private RDS within it,

20
00:00:47,890 --> 00:00:51,470
‫then Lambda cannot access RDS.

21
00:00:51,470 --> 00:00:54,380
‫So you may ask me the question, what can I do to solve it?

22
00:00:54,380 --> 00:00:56,060
‫Can I deploy my Lynda in a VPC?

23
00:00:56,060 --> 00:00:57,500
‫And of course you can.

24
00:00:57,500 --> 00:01:01,330
‫So for this, you must define your VPC ID, the subnets

25
00:01:01,330 --> 00:01:03,740
‫and you need to assign a security group

26
00:01:03,740 --> 00:01:05,180
‫to your Lambda function.

27
00:01:05,180 --> 00:01:06,150
‫And behind the scenes,

28
00:01:06,150 --> 00:01:07,900
‫the Lambda function will create an ENI.

29
00:01:07,900 --> 00:01:09,640
‫So Elastic Network Interface

30
00:01:09,640 --> 00:01:11,950
‫in the subnets that you have selected

31
00:01:11,950 --> 00:01:15,260
‫and to create this ENI, your Lambda function needs

32
00:01:15,260 --> 00:01:18,470
‫a Lambda VPC Access Execution Role.

33
00:01:18,470 --> 00:01:20,840
‫So back into our private subnet,

34
00:01:20,840 --> 00:01:23,250
‫we have our RDS security group

35
00:01:23,250 --> 00:01:27,200
‫around our Amazon RDS database in our VPC.

36
00:01:27,200 --> 00:01:28,630
‫And this Lambda function,

37
00:01:28,630 --> 00:01:30,700
‫we want to give it VPC access.

38
00:01:30,700 --> 00:01:33,170
‫Therefore once we've set it up correctly

39
00:01:33,170 --> 00:01:35,880
‫it will create an ENI, an elastic network interface,

40
00:01:35,880 --> 00:01:38,180
‫alongside the Lambda security group

41
00:01:38,180 --> 00:01:40,550
‫and to access your RDS database,

42
00:01:40,550 --> 00:01:42,930
‫Your Lambda is going to go through your ENI.

43
00:01:42,930 --> 00:01:44,490
‫You know, it's invisible, we don't see it,

44
00:01:44,490 --> 00:01:46,480
‫but this is how it happens behind the scenes.

45
00:01:46,480 --> 00:01:48,290
‫So it will go through the ENI

46
00:01:48,290 --> 00:01:50,360
‫into your Amazon RDS database.

47
00:01:50,360 --> 00:01:51,900
‫And so for this to work, we need to make sure

48
00:01:51,900 --> 00:01:55,350
‫that the RDS security group does allow network access

49
00:01:55,350 --> 00:01:57,250
‫from the Lambda security group, just like

50
00:01:57,250 --> 00:02:00,910
‫for EC2 instances and load down search, for example.

51
00:02:00,910 --> 00:02:01,743
‫Okay.

52
00:02:01,743 --> 00:02:03,700
‫So here is a caveat.

53
00:02:03,700 --> 00:02:06,400
‫What if we deploy a Lambda function in a VBC,

54
00:02:06,400 --> 00:02:09,160
‫can we access the public internet?

55
00:02:09,160 --> 00:02:11,790
‫And by default, Lambda function inside

56
00:02:11,790 --> 00:02:16,000
‫of your VPC does not have access to the internet.

57
00:02:16,000 --> 00:02:17,300
‫So you may ask me, okay.

58
00:02:17,300 --> 00:02:19,190
‫I don't want you to deploy my Lambda function

59
00:02:19,190 --> 00:02:22,620
‫inside of a private subnet.

60
00:02:22,620 --> 00:02:24,370
‫I want to deploy it in a public subnet

61
00:02:24,370 --> 00:02:25,630
‫and you told me Stefan,

62
00:02:25,630 --> 00:02:28,000
‫that public subnets have access to the internet.

63
00:02:28,000 --> 00:02:29,770
‫So that is true for EC2 instances

64
00:02:29,770 --> 00:02:32,150
‫but it is not true for Lambda functions.

65
00:02:32,150 --> 00:02:33,270
‫So deploying a Lambda function

66
00:02:33,270 --> 00:02:36,920
‫in a public subnet does not give it internet access

67
00:02:36,920 --> 00:02:38,440
‫or a public IP.

68
00:02:38,440 --> 00:02:39,670
‫And it's good to know.

69
00:02:39,670 --> 00:02:41,810
‫So the exam will definitely test you on this.

70
00:02:41,810 --> 00:02:43,470
‫So what can we do then?

71
00:02:43,470 --> 00:02:45,880
‫Well, you can deploy your Lambda function

72
00:02:45,880 --> 00:02:49,400
‫in a private subnet and to give it internet access,

73
00:02:49,400 --> 00:02:52,230
‫you would use a NAT gateway, or a NAT instance,

74
00:02:52,230 --> 00:02:54,950
‫just like we saw in the VPC primer.

75
00:02:54,950 --> 00:02:57,460
‫So we have our Lambda function in our VBC,

76
00:02:57,460 --> 00:02:59,700
‫we're in the cloud, and it is deployed

77
00:02:59,700 --> 00:03:01,760
‫in a private subnet, not a public subnet.

78
00:03:01,760 --> 00:03:05,390
‫So it's in a private subnet and we have access to RDS

79
00:03:05,390 --> 00:03:07,990
‫but to access an external API,

80
00:03:07,990 --> 00:03:10,830
‫we need to go through a public subnet with a NAT device.

81
00:03:10,830 --> 00:03:13,340
‫So a NAT gateway or NAT instance.

82
00:03:13,340 --> 00:03:15,810
‫The NAT gateway or instance will be talking

83
00:03:15,810 --> 00:03:18,290
‫to the internet gateway of our VPC

84
00:03:18,290 --> 00:03:20,050
‫and the internet gateway will give us access

85
00:03:20,050 --> 00:03:21,480
‫to the external API.

86
00:03:21,480 --> 00:03:23,120
‫So all of this is configured

87
00:03:23,120 --> 00:03:26,810
‫through your route tables and your VPC configuration, okay?

88
00:03:26,810 --> 00:03:29,540
‫Next, what if you want you to access DynamoDB,

89
00:03:29,540 --> 00:03:31,420
‫well, we can access DynamoDB either

90
00:03:31,420 --> 00:03:34,010
‫through the public route and through your internet gateway.

91
00:03:34,010 --> 00:03:37,400
‫So this would work once a NAT is put in place.

92
00:03:37,400 --> 00:03:40,260
‫Or, if you want to access DynamoDB privately,

93
00:03:40,260 --> 00:03:42,280
‫you can use VPC endpoints.

94
00:03:42,280 --> 00:03:44,060
‫And VPC endpoints, if you remember,

95
00:03:44,060 --> 00:03:47,450
‫they're used to access private AWS services

96
00:03:47,450 --> 00:03:49,300
‫privately within your cloud

97
00:03:49,300 --> 00:03:52,740
‫without access to a NAT device or an internet gateway.

98
00:03:52,740 --> 00:03:55,037
‫So we'd create a VPC endpoint for DynamoDB

99
00:03:55,037 --> 00:03:57,020
‫as the VPC endpoint gateway,

100
00:03:57,020 --> 00:03:58,430
‫and Lambda function will be talking

101
00:03:58,430 --> 00:04:00,850
‫to the end point and accessing privately

102
00:04:00,850 --> 00:04:03,970
‫your DynamoDB service, which is great.

103
00:04:03,970 --> 00:04:05,780
‫And so all of that works.

104
00:04:05,780 --> 00:04:07,970
‫So if you deploy a Lambda function

105
00:04:07,970 --> 00:04:11,580
‫in a private subnet, note that your CloudWatch Logs work

106
00:04:11,580 --> 00:04:14,200
‫even if you have no end points or NAT gateway.

107
00:04:14,200 --> 00:04:17,080
‫CloudWatch Logs is something that functions no matter what.

108
00:04:17,080 --> 00:04:19,210
‫Okay, so that's it for the theory,

109
00:04:19,210 --> 00:04:20,760
‫Now let's go into the hands-on.