英文:
Using Lambda in shared internet gateway for siloed tenants
问题
我有一个Lambda函数,我想使用孤立的租户模型来提供访问权限(即没有共享资源,每个租户一个Lambda实例),因为我们有非常严格的数据合规性要求。
我需要为我的Lambda函数拥有静态IP地址,以便访问外部的SFTP服务器,我按照使用Lambda函数、Amazon VPC和无服务器架构生成静态出站IP地址 - AWS建议指南中的说明进行设置。
我的问题是:我是否需要为每个Lambda实例创建新的私有/公共子网,以维护租户隔离?或者是否有任何可以共享的设置资源?
英文:
I have a Lambda function that I want to provide access to using a siloed tenant model (i.e. no shared resources so one Lambda instance per tenant) as we have quite strict data compliance requirements.
I need to have a static IP address for my Lambda function in order to access external SFTP servers and I followed Generate a static outbound IP address using a Lambda function, Amazon VPC, and a serverless architecture - AWS Prescriptive Guidance to set it up.
My question is: Do I need to create a new private/public subnet for every Lambda instance I have in order to maintain my tenant isolation? Or are there any resources of that setup that can be shared?
答案1
得分: 1
如果您希望每个Lambda函数拥有不同的公共IP地址,您需要:
- 单独的私有子网和路由表
- 单独的Lambda函数
- 单独的NAT网关
在同一个公共子网中启动多个NAT网关可能是可能的,但我自己没有尝试过。公共子网本身没有费用,因此您可能希望使用单独的公共子网来匹配私有子网。它们可以都相当小(例如/28
= 16个地址)。
每个私有子网都会有一个不同的路由表,指向不同的NAT网关。
请注意,NAT网关的费用是每小时0.045美元,因此每个NAT网关的年费用约为400美元,还要加上流量费用。
英文:
If you want each Lambda function to have a different public IP address, you would need:
- A separate private subnet and Route Table
- A separate Lambda function
- A separate NAT Gateway
It might be possible to launch multiple NAT Gateways in the same public subnet, but I haven't tried it myself. There is no cost for a public subnet itself, so you might want to use separate public subnets to match the private subnets. They could all be quite small (eg /28
= 16 addresses).
Each private subnet would have a different Route Table that points to a different NAT Gateway.
Please note that NAT Gateways are charged at $0.045c/hour, so it would have a cost of ~$400/year per NAT Gateway, plus traffic charges.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论