是什么触发要为访问VPC资源的AWS Lambda创建ENI的 [英] What triggers ENIs to be created for AWS Lambdas accessing VPC resources

问题描述

我们部署了多个lambda，可以使用VpcConfig设置访问我们的VPC.

We have multiple lambdas deployed with access to our VPC using the VpcConfig setting.

我了解到，AWS Lambda通常会按需创建lambda，但如果您将它们连接到VPC，则AWS会(在某个时候)在VpcConfig中指定的子网之一上创建ENI并附加lambda容器使其可以访问您的VPC.

I understand that AWS Lambda normally creates lambdas on demand, but if you have them connecting to your VPC then AWS will (at some point) create an ENI on one of the subnets specified in the VpcConfig and attach the lambda container to allow it access to your VPC.

但是究竟是什么触发了ENI的创建和附加呢?我注意到，lambda和ENI之间以及ENI与子网之间没有一对一的映射.还有什么决定ENI附加到哪个子网?

But what actually triggers the ENI to be created and attached? I've noticed that there is not a 1-to-1 mapping between lambdas and ENIs, nor between ENIs and subnets. Also what decides which subnet the ENI attaches to?

如果我为VPC配置手动运行测试lambda(对ping localhost)，它将永远不会创建ENI.因此，我猜这是因为它没有尝试访问网络上的任何内容.

If I run a test lambda (to ping localhost) manually, configured for our VPC, it never creates an ENI. So I'm guessing this is because it is not trying to access anything on the network.

推荐答案

这需要了解Lambda容器和容器重用.首次调用Lambda函数时，将创建一个Lambda容器，并将Lambda函数部署到该容器中.如果您使用VPC设置配置了该功能，则将为该容器分配一个ENI.然后，下次调用该函数时，如果该容器仍然存在且已部署该函数，并且当前未被其他调用使用，则它将重新使用该容器(因此无需创建新的ENI).如果容器忙于处理另一个调用，则将使用新的ENI部署另一个容器来处理挂起的调用.当容器闲置一段时间后，Lambda服务将自动删除容器和附加的ENI.

This requires an understanding of Lambda containers and container reuse. When a Lambda function is first invoked a Lambda container is created and the Lambda function is deployed into the container. That container will be assigned an ENI if you have the function configured with VPC settings. Then the next time you invoke the function, if the container still exists with the function deployed, and isn't currently in use by another invocation, it will re-use that container (so no need to create a new ENI). If the container is busy handling another invocation then a second container will be deployed with a new ENI to handle the pending invocation. When a container is idle for a period of time then the Lambda service will automatically delete the container and the attached ENI.

又由什么决定ENI附加到哪个子网?

Also what decides which subnet the ENI attaches to?

当您配置Lambda功能以进行VPC访问时，您需要在VPC中列出要部署到其的一个或多个子网.我不相信实际的算法已经由Amazon发布，但是它似乎使用循环算法在配置的子网之间分散了容器的创建.出于实际目的，您可以考虑在每次创建新的Lambda容器时随机"选择一个子网.我假设它还会检查子网中是否有可用的IP地址，或者如果它在获取给定子网中的新ENI的IP时遇到问题，则将故障转移到另一个子网，但是同样，我不知道该文件已被记录在案.任何地方.

When you configured the Lambda function for VPC access you were required to list one or more subnets in the VPC that it would be deployed to. I don't believe the actual algorithm has been published by Amazon but it appears to use a round-robin algorithm to spread container creation out between the configured subnets. For practical purposes you could consider it to "randomly" pick a subnet every time it creates a new Lambda container. I assume it will also check that there are available IP addresses in the subnet, or fail over to another subnet if it has issues obtaining an IP for the new ENI in a given subnet, but again, I'm not aware of that being documented anywhere.

这篇关于是什么触发要为访问VPC资源的AWS Lambda创建ENI的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！