Profile Applicability:
Level 1
Description:
AWS Lambda functions can be deployed inside a VPC (Virtual Private Cloud) to enable them to access private resources such as databases, caches, and other services that reside in private subnets. When deploying Lambda functions inside a VPC, it is crucial to ensure that these functions are deployed across multiple Availability Zones (AZs) to achieve high availability, fault tolerance, and redundancy.
Deploying Lambda functions across multiple AZs ensures that they can continue to operate if one AZ experiences an outage, providing better resilience and reducing the risk of service disruption.
Rationale:
High Availability: Distributing Lambda functions across multiple AZs ensures that your function remains operational even if one AZ becomes unavailable.
Fault Tolerance: If one AZ fails or experiences issues, the Lambda function can still be invoked in the other AZs, reducing the risk of downtime.
Scalability: AWS automatically scales Lambda functions across AZs, providing more consistent and predictable performance during high-demand periods.
Disaster Recovery: In the event of an AZ failure, Lambda’s cross-AZ deployment ensures that workloads can continue without significant impact on availability or performance.
Impact:
Pros:
Improved Fault Tolerance: Lambda functions can operate across multiple AZs, ensuring service continuity in case of failure in one AZ.
Higher Availability: Helps reduce the risk of service disruptions by ensuring that Lambda functions are highly available.
Elastic Scaling: Lambda automatically scales to meet demand, and by utilizing multiple AZs, the system can handle more traffic with greater reliability.
Business Continuity: Ensures that critical Lambda functions continue to function even in case of AZ outages or disruptions.
Cons:
Configuration Complexity: Deploying Lambda functions across multiple AZs within a VPC can add complexity to network and security configurations.
Cost: Using multiple AZs may incur additional costs related to networking, such as traffic between AZs.
Default Value:
By default, AWS Lambda functions deployed inside a VPC are deployed across all available Availability Zones in the VPC, unless specific configurations are applied to restrict this deployment. However, Lambda will still be deployed to the private subnets, and the subnet configuration itself must allow for multiple AZs.
Pre-requisite:
AWS IAM Permissions:
lambda:DescribeFunction
lambda:UpdateFunctionConfiguration
ec2:DescribeSubnets
ec2:DescribeAvailabilityZones
AWS CLI installed and configured.
VPC with multiple Availability Zones should be configured with private subnets in each AZ to support Lambda deployment.
Ensure VPC subnets are in multiple AZs.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Lambda under Services.
In the Lambda Dashboard, select the Lambda function you want to review.
Under the Configuration tab, go to VPC and check the subnets where the Lambda function is deployed.
Ensure that the Lambda function is associated with subnets in multiple Availability Zones.
If only one AZ is listed under the subnet section, you will need to modify the VPC configuration to deploy Lambda across multiple AZs.
Using AWS CLI:
To check if a Lambda function is deployed across multiple AZs, run:
aws lambda get-function-configuration --function-name <function-name> --query 'VpcConfig'
Check the SubnetIds in the VpcConfig section to confirm that the function is deployed across subnets in multiple AZs. For multiple AZs, you should see subnets listed across different AZs.
If the function is only in one AZ, update the Lambda function’s configuration to enable deployment in multiple AZs. You can modify the subnet configurations and ensure that the subnets belong to different Availability Zones.
Implementation Steps:
Using AWS Console:
Log in to the AWS Management Console and navigate to AWS Lambda.
In the Lambda Dashboard, select the Lambda function you want to modify.
Under Function Configuration, click Edit in the VPC section.
Choose subnets in multiple Availability Zones (AZs) for deployment.
Ensure that you select at least one subnet from each AZ for redundancy.
Configure Security Groups for the Lambda function to control access between the Lambda function and other resources in the VPC.
Click Save to apply the changes.
Using AWS CLI:
To modify the Lambda function’s configuration to deploy across multiple AZs, run:
aws lambda update-function-configuration --function-name <function-name> --vpc-config SubnetIds=<subnet-id-1>,<subnet-id-2> --security-group-ids <security-group-id>
Verify the update by checking the VpcConfig section:
aws lambda get-function-configuration --function-name <function-name> --query 'VpcConfig'
Confirm that the Lambda function is deployed in subnets in multiple Availability Zones.
Backout Plan:
Console Process
Go to the AWS Lambda Console:
Open the AWS Lambda console and select your function.
Check VPC Configuration:
Under the Network section, verify the subnets associated with the function.
Ensure the subnets span multiple AZs for high availability.
CLI Process
Describe the Function Configuration:
aws lambda get-function-configuration --function-name <function-name>
Check Subnets:
Look for the VpcConfig field in the output.
Verify that the listed subnets belong to different AZs.
Note:
Subnet Considerations: When deploying Lambda functions across multiple AZs, make sure that the subnets are properly configured with adequate IP ranges to support Lambda’s requirements.
Security Group Rules: Update your security groups to ensure that Lambda functions have the correct permissions to access necessary resources across the different AZs.