HCP Vault Secrets Centralized secrets lifecycle management for developers. Learn More
Consul
Consul Home

Invoke Lambda Functions from Mesh Services

This topic describes how to invoke AWS Lambda functions from the Consul service mesh.

Overview

You can invoke Lambda functions from the Consul service mesh through terminating gateways (recommended) or directly from service mesh proxies.

Terminating Gateway

We recommend invoking Lambda functions through terminating gateways. This method supports cross-datacenter communication, transparent proxies, intentions, and all other Consul service mesh features.

The terminating gateway must have the appropriate IAM permissions to invoke the function.

The following diagram shows the invocation procedure:

Terminating Gateway to Lambda
  1. Make an HTTP request to the local service mesh proxy.
  2. The service mesh proxy forwards the request to the terminating gateway.
  3. The terminating gateway invokes the function.

Service Mesh Proxy

You can invoke Lambda functions directly from a service's mesh sidecar proxy. This method has the following limitations:

  • Intentions are unsupported. Consul enforces intentions by validating the client certificates presented when a connection is received. Lambda does not support client certificate validation, which prevents Consul from supporting intentions using this method.
  • Transparent proxies are unsupported. This is because Lambda services are not registered to a proxy.

This method is secure because AWS IAM permissions is required to invoke Lambda functions. Additionally, all communication is encrypted with Amazon TLS when invoking Lambda resources.

The Envoy sidecar proxy must have the correct AWS IAM credentials to invoke the function. You can define the credentials in environment variables, EC2 metadata, or ECS task metadata.

The following diagram shows the invocation procedure:

Service Mesh Proxy to Lambda
  1. Make an HTTP request to the local service mesh proxy.
  2. The service mesh proxy invokes the Lambda.

Invoke a Lambda Function

Before you can invoke a Lambda function, register the service used to invoke the Lambda function and the service running in Lambda with Consul (refer to registration for instructions). The service used to invoke the function must be deployed to the service mesh.

  1. Update the invoking service to use the Lambda service as an upstream. In the following example, the destination_name for the invoking service (api) points to a Lambda service called authentication:
    upstreams {
  local_bind_port = 2345
  destination_name = "authentication"
}
  2. Issue the consul services register command to store the configuration:
     $ consul services register api-sidecar-proxy.hcl
  3. Call the upstream service to invoke the Lambda function. In the following example, the api service invokes the authentication service at localhost:2345:
     $ curl https://localhost:2345
Edit this page on GitHub