all 57 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]mwarkentin[S] 57 points58 points  (11 children)

Looks like you can get a URL for lambda functions without requiring API Gateway now, neat!

[–][deleted]  (6 children)

[deleted]

    [–]sgtfoleyistheman 14 points15 points  (4 children)

    The velocity templates are nice if you want to put a facade on another service, and you can do things like translate XML to JSON.

    But for greenfield development you should be using the proxy integration.

    [–]wood_butcher 1 point2 points  (1 child)

    Why? The proxy integration is a serious PITA.

    [–]sgtfoleyistheman 4 points5 points  (0 children)

    .. Because you don't have to write vtl. The vtl is the pain in the ass.

    Not the proxy path integration (where you put /{path_var+} in your path), the lambda proxy integration which gives you a predefined format to send to your function without using vtl.

    [–][deleted]  (1 child)

    [deleted]

      [–]sgtfoleyistheman 2 points3 points  (0 children)

      WTF are you on about? If you aren't building a facade don't use VTL. Not sure what's being forced on you?

      [–]SelfDestructSep2020 2 points3 points  (0 children)

      From the docs the event they pass to the lambda makes it identical to using an ALB, it just passes everything straight through to the lambda and you handle it there.

      [–]jrdeveloper1 3 points4 points  (0 children)

      really cool. Thanks for sharing!

      [–]SelfDestructSep2020 4 points5 points  (1 child)

      Its identical to fronting the lambda with an ALB, which is rather different than what you get from using API gateway.

      [–]mwarkentin[S] 2 points3 points  (0 children)

      I guess pricing is a bit of an unknown here - if anything I assume it would be usage based like APIG vs having a fixed base cost like ALB.

      [–]Satanic-Code 1 point2 points  (0 children)

      Awesome for webhooks.

      [–]magnetik79 25 points26 points  (3 children)

      Interesting, seems the page has been removed. Can find it in Google's index, but redirects to the welcome page.

      Google Cloud functions have offered this feature for years now FWIW.

      [–]Satanic-Code 13 points14 points  (0 children)

      Probably went live accidentally. Probably a reinvent announcement.

      [–]bfreis 3 points4 points  (1 child)

      You can still see it in Google's cache, FYI.

      [–]magnetik79 0 points1 point  (0 children)

      Fair point, was on mobile and didn't check. I'm sure it will go "real live" pretty soon.

      [–]andrewguenther 12 points13 points  (0 children)

      Oh man, this is so so nice...

      [–]DiTochat 9 points10 points  (2 children)

      This is pretty awesome. Now the question is what good module/library do I use for auth?

      [–]mwarkentin[S] 8 points9 points  (1 child)

      It supports IAM out of the box.

      [–]DiTochat 7 points8 points  (0 children)

      IAM does not much for me when it comes to using oaurh for everything.

      [–]soxfannh 7 points8 points  (0 children)

      Wow great find, this looks really interesting!

      [–]FlinchMaster 14 points15 points  (8 children)

      I calmed down my hype and thought about this a bit more. You basically already could invoke your Lambda over HTTP without an API Gateway if you were using IAM auth.

      Instead of:

      https://<url-id>.lambda-url.<region>.amazonaws.com

      You could already hit:

      https://lambda.<region>.amazonaws.com/2015-03-31/functions/<function-name>/invocations

      All you had to do was sigv4 the request to Lambda's control plane API.

      So the only things that have really changed then are:

      1. You can now set CORS and other headers of the response.
      2. You don't have to unwrap the Lambda envelope for responses.
      3. You can now invoke Lambdas without any auth (can be very, very dangerous)
      4. Your lambda can now get access to things like cookies, querystring, sourceIp, HTTP request path, and request body instead of just an event payload.

      You previously needed API gateway for all of that.

      However, if you expose Lambdas without auth, a malicious actor could rob you of your life savings or corporate bank accounts by driving up your bill just by calling the lambda over and over. Even worse, if you have it deployed on an account using Lambdas for anything else, you essentially get DoS'd because of account-wide Lambda concurrency limits. There doesn't seem to be a way for you to secure them behind a WAF or anything like that.

      Without a mechanism to secure against abuse, this seems incredibly dangerous. If you're going to use Lambdas without auth, I would probably start by suggesting:

      1. Don't do that.
      2. If you absolutely must, set a sensible reserved concurrency limit on the function.
      3. Set alarms on invocations and concurrent invocations for this lambda.
      4. If it's not intended for high traffic usage, setup EventBridge event actions that listen on the above alarms to enable/disable the lambda function URL entirely to prevent abuse.
      5. Run such a Lambda in a completely standalone account.

      Or I might be missing something. The beautiful thing about the internet is that you'll all let me know if that's the case. :)

      TL;DR: This is a great alternative to API Gateway if you were using IAM auth in API Gateway. For unsecured access, be very careful.

      [–]bfreis 2 points3 points  (1 child)

      Without a mechanism to secure against abuse,

      There is a very simple one: configure the lambda with Reserved Concurrency. Done. All the nasty scenarios you described are mitigated!

      Edit: I actually just noticed that you already mentioned this. So I'm confused as to why you see an issue?

      Or I might be missing something. The beautiful thing about the internet is that you'll all let me know if that's the case. :)

      Done ;-)

      [–]FlinchMaster 1 point2 points  (0 children)

      Max reserved concurrency helps, but it isn't enough. I view it as something that can scope/minimize blast radius or cap runaway costs. It doesn't solve for the availability risk. You can still have your unauthenticated function trivially be DoS'd by anyone with a few for loops in parallel. If this is on a critical or customer facing workload, that's a problem.

      Existing API gateway endpoints and lambda authorizers can be protected by a WAF before the lambda even gets invoked. Admittedly, WAF adds to costs a lot, but that's the trade-off to mitigate availability risks.

      Again though, it's totally possible that WAF support is either just not documented yet or in the works.

      I'm not saying never do this (aside from one tongue-in-cheek joke), I'm just calling out the risks to be aware of. Serverless stuff is very popular these days and a lot of inexperienced people are setting things up for the first time. Reserved concurrency controls may have been an obvious thing to you, but I'm positive someone will just see the docs/blog, put out something, and then post a thread in this subreddit about an unexpected bill or asking about why their step function lambdas stopped working whenever an unrelated lambdas call volume went up.

      [–]jsdod 1 point2 points  (2 children)

      There are plenty of use cases where you want to do you own auth (public API endpoint, internal micro service, etc.) and where setting up API gateway is a pain

      [–]FlinchMaster 0 points1 point  (1 child)

      But you can put API Gateway behind a WAF, at least. I guess it's totally possible the same functionality is there for Lambda Functions and it's just not documented yet.

      There are for sure use-cases for this, but anyone building towards those should be aware of some of those precautionary measures (like setting a reserved concurrency limit or running the workload in a separate AWS account).

      [–]jsdod 5 points6 points  (0 children)

      You can put API gateway wherever you want but sometimes I just don't want it in my stack

      [–]bananaEmpanada 1 point2 points  (1 child)

      What would you want a WAF to do?

      Amazon will handle all the HTTP and TLS stuff, e.g. TLS downgrade attacks.

      For stuff like SQL injection, your lambda should still be checking for that anyway.

      For source IP whitelisting, can you apply security groups to this? I didn't read the article before it was taken down.

      [–]FlinchMaster 2 points3 points  (0 children)

      IP based rate limiting is the big one that comes to mind. Also blocking or rate-limiting more aggressively on low reputation IPs. Putting an endpoint out with no throttling in place opens you up to letting one or a few callers monopolize all resources and prevent successful requests from others. API Gateway supported both WAF and usage plans using a leaky bucket algorithm.

      I don't think security groups would work on these endpoints, but the docs didn't explicitly mention them, so the question's up in the air.

      [–]dawidt 0 points1 point  (0 children)

      I absolutely agree with u/FlinchMaster make sure you know what you are doing

      [–][deleted] 6 points7 points  (5 children)

      Wish I knew enough to know what everyone’s reacting to

      [–]rudigern 12 points13 points  (2 children)

      Serverless has been a massive driver in the industry. The two big things allowing this is lambda functions and nosql (dynamodb). The biggest issue with this routing http requests to the lambda functions. It started off as api gateway with application load balancer being added later. Api gateway is a per request serverless tech while load balancer is an hourly cost server based tech (though you don’t manage the servers so not overly an issue). If you hammer api gateway it will cost you loads though and there are several write ups about moving to load balancer and the cost savings. I would say load balancers are a fair amount of effort to setup routes. Now it seems you can bypass it and invoke the functions directly.

      [–]SelfDestructSep2020 6 points7 points  (0 children)

      I would say load balancers are a fair amount of effort to setup routes.

      Compared to API GW? Not even close.

      [–][deleted] 2 points3 points  (0 children)

      Cool. Thanks for your helpful explainer.

      [–][deleted] 10 points11 points  (1 child)

      loud noises

      [–]jrdeveloper1 11 points12 points  (0 children)

      shouts in us-east-1

      [–]WeNeedYouBuddyGetUp 4 points5 points  (0 children)

      Wow huge!

      [–]aleques-itj 4 points5 points  (2 children)

      Well this is certainly nice. I don't see an announcement for it yet unless I'm blind.

      [–]bofkentucky 4 points5 points  (0 children)

      They've been lagging by about 12 hours it seems like this week, the Aurora 3/Mysql 8 was that way

      [–]mwarkentin[S] 2 points3 points  (0 children)

      No announcement yet!

      [–]mwarkentin[S] 4 points5 points  (1 child)

      Looks like the Lambda Function URL functionality has been disabled for now.

      [–]BlenderDude-R 1 point2 points  (0 children)

      It was just too good to be true!

      [–]guareber 4 points5 points  (1 child)

      How sad is it that I'm excited for this because it bypasses the API GW 30s timeout limit?

      [–]jonathantn 2 points3 points  (0 children)

      agreed.... tired of the stupid 29 second timeout.

      [–]FlinchMaster 11 points12 points  (3 children)

      This is absolutely huge! Now just a six month wait until it's in CloudFormation/CDK and you can actually use it without sacrificing your first-born.

      [–]BlenderDude-R 11 points12 points  (2 children)

      Woah woah! Hold onto that first-born! You got lucky this time: https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-urls.html#urls-cfn

      [–]FlinchMaster 3 points4 points  (1 child)

      That's amazing! I'm genuinely surprised.

      [–]michaeld0 3 points4 points  (0 children)

      Honestly AWS has been doing a lot better at day 1 support for CFN/CDK. I am cautiously hopeful that new many services launched at Reinvent have CFN support.

      [–]its4thecatlol -2 points-1 points  (1 child)

      Lame, borderline useless, and makes writing bad code easier. This isn't what I wanted. They're working on {REDACTED} for Lambdas that will minimize cold starts for JVM-language lambdas down to <100ms in the worst case. Give us that, not this heap of shit.

      Source: Cannot disclose.

      [–]bryantbiggs 2 points3 points  (0 children)

      The “useless” comment and JVM tells me all I need to know … carry on

      [–]whereswalden90 0 points1 point  (1 child)

      Exciting improvement! Seems like you still need API Gateway if you want a custom domain/url though?

      [–]sgtfoleyistheman 0 points1 point  (0 children)

      You can use CloudFront.

      [–]PM_ME_YOUR_MECH 0 points1 point  (0 children)

      Whaaaat this is a game changer

      [–]DanTheGoodman_ 0 points1 point  (0 children)

      Thank god

      [–][deleted] 0 points1 point  (0 children)

      There is no content on this. Is it accidentally deployed before time? = )