VPC and networking
Progress checklist
Overview
Section titled “Overview”Lambda Managed Instances run managed EC2
Elastic Compute Cloud — the AWS virtual machine service that underpins Lambda Managed Instances. capacity in your VPC
Virtual Private Cloud — an isolated, private network in AWS where your Lambda Managed Instances and related resources run. . In this repository, modules/vpc builds a small, repeatable layout: public SUBNET
Subnet — a segment of a VPC CIDR block in a single Availability Zone; Lambda Managed Instances run in private subnets. s for an IGW
Internet Gateway — the VPC attachment that enables public subnets to communicate with the internet. and a NAT
NAT Gateway — allows instances in private subnets to reach the internet without being directly reachable from it. gateway, private subnets for workloads, and route tables so private IPv4 egress goes through NAT. The walkthrough example also defines aws_security_group.lmi: a SG
Security Group — a stateful virtual firewall that controls inbound and outbound traffic for EC2 and Lambda instances. attached to the CAPACITY-PROVIDER
Lambda Capacity Provider — an EC2-backed compute resource pool (subnets, security groups, operator role) that Lambda Managed Instances functions run on instead of shared Lambda infrastructure. so ENIs can reach the Lambda control plane and CloudWatch Logs (egress allowed in the example).
For why you might choose public subnets, endpoints, or NAT in production, read VPC connectivity for Lambda Managed Instances. For placement (subnets and security groups as the provider boundary), see Placement & capacity.
Repository layout
Section titled “Repository layout”Directoryexamples/waf-loki/ - main.tf - variables.tf - function/ - … - modules/vpc/ - main.tf
- …
- variables.tf - …
Traffic path
Section titled “Traffic path”AWS resources and traffic flow for the default layout modules/vpc provisions (used by examples/waf-loki):
Private subnets have no path from the internet inbound by default; outbound IPv4 uses the NAT gateway in a public subnet. The capacity provider places ENIs in the private subnets you pass from this VPC.
-
Finish prerequisites. Required
Complete Git (clone the Terraform repo), Terraform, and What else — especially one region and matching Availability Zones for every resource.
-
Open the walkthrough example directory.
Terminal window cd terraform-aws-lambda-managed-instance/examples/waf-loki -
Configure region and networks (optional).
Terminal window cp terraform.tfvars.example terraform.tfvarsEdit
terraform.tfvarsor rely on defaults. Keepaws_regionandavailability_zonesconsistent — for exampleap-southeast-2withap-southeast-2a,ap-southeast-2b, andap-southeast-2c. The example defaults to10.0.0.0/16, with public subnets10.0.1.0/24,10.0.2.0/24,10.0.3.0/24and private subnets10.0.101.0/24,10.0.102.0/24,10.0.103.0/24(one public/private pair per AZ). If you run more than one stack in the same account, choose non-overlappingvpc_cidrand subnet lists. Confirm Lambda Managed Instances is available in your chosen region. -
Install providers and review the plan.
Terminal window terraform initterraform planIn the plan, expect a VPC
Virtual Private Cloud — an isolated, private network in AWS where your Lambda Managed Instances and related resources run. , three public and three private subnets across three Availability Zones, an internet gateway, one NAT gateway (defaultsingle_nat_gatewayinmodules/vpc), route tables (public0.0.0.0/0→ IGW; private → NAT), the LMI security group (egress-only to0.0.0.0/0in the example), plus IAM, CloudWatch log group, capacity provider, and Lambda frommodules/lambda_managed_instance. -
Apply.
Terminal window terraform applyFirst apply can take several minutes while capacity and the published function version become active.
-
Sanity-check in the console (optional).
In VPC and EC2 → Subnets, confirm CIDRs and route tables match the plan. After traffic exists, managed instances may show service tags such as
aws:lambda:capacity-provider— those are applied by AWS, not by yourtagsblock in Terraform.