VPC and networking

Note

Terraform code: terraform-aws-lambda-managed-instance. This lab uses examples/waf-loki and the shared modules/vpc module (the same networking building block described in that repository’s own docs).

Progress checklist

• Companion repo cloned and examples/waf-loki reachable
• aws_region and availability_zones aligned in tfvars or variables
• terraform init and terraform plan run without errors
• terraform apply completed (or you understand what the plan will create)
• Optional: VPC and subnets visible in the EC2 console

Overview

Lambda Managed Instances run managed EC2 EC2
Elastic Compute Cloud — the AWS virtual machine service that underpins Lambda Managed Instances. capacity in your VPC VPC
Virtual Private Cloud — an isolated, private network in AWS where your Lambda Managed Instances and related resources run. . In this repository, modules/vpc builds a small, repeatable layout: public SUBNET SUBNET
Subnet — a segment of a VPC CIDR block in a single Availability Zone; Lambda Managed Instances run in private subnets. s for an IGW IGW
Internet Gateway — the VPC attachment that enables public subnets to communicate with the internet. and a NAT NAT
NAT Gateway — allows instances in private subnets to reach the internet without being directly reachable from it. gateway, private subnets for workloads, and route tables so private IPv4 egress goes through NAT. The walkthrough example also defines aws_security_group.lmi: a SG SG
Security Group — a stateful virtual firewall that controls inbound and outbound traffic for EC2 and Lambda instances. attached to the CAPACITY-PROVIDER CAPACITY-PROVIDER
Lambda Capacity Provider — an EC2-backed compute resource pool (subnets, security groups, operator role) that Lambda Managed Instances functions run on instead of shared Lambda infrastructure. so ENIs can reach the Lambda control plane and CloudWatch Logs (egress allowed in the example).

For why you might choose public subnets, endpoints, or NAT in production, read VPC connectivity for Lambda Managed Instances. For placement (subnets and security groups as the provider boundary), see Placement & capacity.

Caution

capacity_provider_config cannot be added or removed after the function is first created. Plan your function configuration before the first terraform apply that creates the Lambda. See Publishing & activation.

Repository layout

• Directoryexamples/waf-loki/ - main.tf - variables.tf - function/ - … - modules/vpc/ - main.tf

  • …
• variables.tf - …

Traffic path

AWS resources and traffic flow for the default layout modules/vpc provisions (used by examples/waf-loki):

Private subnets have no path from the internet inbound by default; outbound IPv4 uses the NAT gateway in a public subnet. The capacity provider places ENIs in the private subnets you pass from this VPC.

1. Finish prerequisites. Required

   Complete Git (clone the Terraform repo), Terraform, and What else — especially one region and matching Availability Zones for every resource.

2. Open the walkthrough example directory.

   cd terraform-aws-lambda-managed-instance/examples/waf-loki

3. Configure region and networks (optional).

   cp terraform.tfvars.example terraform.tfvars

   Edit terraform.tfvars or rely on defaults. Keep aws_region and availability_zones consistent — for example ap-southeast-2 with ap-southeast-2a, ap-southeast-2b, and ap-southeast-2c. The example defaults to 10.0.0.0/16, with public subnets 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 and private subnets 10.0.101.0/24, 10.0.102.0/24, 10.0.103.0/24 (one public/private pair per AZ). If you run more than one stack in the same account, choose non-overlapping vpc_cidr and subnet lists. Confirm Lambda Managed Instances is available in your chosen region.

4. Install providers and review the plan.

   terraform init
   terraform plan

   In the plan, expect a VPC VPC
   Virtual Private Cloud — an isolated, private network in AWS where your Lambda Managed Instances and related resources run. , three public and three private subnets across three Availability Zones, an internet gateway, one NAT gateway (default single_nat_gateway in modules/vpc), route tables (public 0.0.0.0/0 → IGW; private → NAT), the LMI security group (egress-only to 0.0.0.0/0 in the example), plus IAM, CloudWatch log group, capacity provider, and Lambda from modules/lambda_managed_instance.

5. Apply.

   terraform apply

   First apply can take several minutes while capacity and the published function version become active.

6. Sanity-check in the console (optional).

   In VPC and EC2 → Subnets, confirm CIDRs and route tables match the plan. After traffic exists, managed instances may show service tags such as aws:lambda:capacity-provider — those are applied by AWS, not by your tags block in Terraform.

See also

Networking fundamentals IGW, NAT, and VPC endpoints — choosing a connectivity pattern.

Placement & capacity Subnets and security groups as the capacity provider boundary.

Tenancy & isolation Trust boundaries and VPC posture for LMI.