Using Lambda in shared internet gateway for siloed tenants

I have a Lambda function that I want to provide access to using a siloed tenant model (i.e. no shared resources so one Lambda instance per tenant) as we have quite strict data compliance requirements.

I need to have a static IP address for my Lambda function in order to access external SFTP servers and I followed Generate a static outbound IP address using a Lambda function, Amazon VPC, and a serverless architecture - AWS Prescriptive Guidance to set it up.

My question is: Do I need to create a new private/public subnet for every Lambda instance I have in order to maintain my tenant isolation? Or are there any resources of that setup that can be shared?

If you want each Lambda function to have a different public IP address, you would need:

• A separate private subnet and Route Table
• A separate Lambda function
• A separate NAT Gateway

It might be possible to launch multiple NAT Gateways in the same public subnet, but I haven't tried it myself. There is no cost for a public subnet itself, so you might want to use separate public subnets to match the private subnets. They could all be quite small (eg /28 = 16 addresses).

Each private subnet would have a different Route Table that points to a different NAT Gateway.

Please note that NAT Gateways are charged at $0.045c/hour, so it would have a cost of ~$400/year per NAT Gateway, plus traffic charges.