NAT gateways are one of the things that blindsided me on the whole "serverless" idea for hobby projects. To have a Lambda function with access to the outside world and your private network resources your $0.01/month function becomes a $35/month+ expense if you don't want to manage your own t2 NAT instance (and required patches, upgrades, scaling, monitoring, etc).
There are a bunch of microcharges like this that pop up, but reading your thread are you sure AWS is right for your application? You essentially can't afford it and want a free tier and near-free access? That seems a bit unrealistic. Maybe lambda isn't the right solution?
Lambda isn't the problem here, the private network (subnet) is. Basically default to public subnet with security groups configured for your incoming connections.
If you really want / need the airgapping that private subnets provide, you'd better be willing to pay for them, and that makes sense to me personally - outside of PCI DSS or HIPAA compliance (or similar) I don't see any reason to use private subnets. That won't apply on a personal project.
There's another gotcha, though is that Lambdas seem to default to inside the VPC by default, which triggers the NAT Gateway cost if you want to do anything useful with them. You'll need to explicitly remember to host the Lambdas outside the VPC.
You may consider using NAT instance of EC2. A micro instance which can also serve as your bastion host.
Or if you are a true extreme penny pincher -- have your lamba function invoke aws api to set up a NAT Gateway and update the subnet route, then execute your business function and then clean up the NAT.
Huh? I can’t make out if this is sarcasm... you suggesting opening the firewall from the inside for each request, finishing the request and then closing the firewall? For starters, what would happen if request 1 closed the firewall while request 2 was still working?
Can't you simply decouple your lambda project into two different parts where you have public lambda(s) calling your private/VPC lambda function(s) when required?
Public Lambdas can invoke VPC Lambdas (AFAIK, the reverse is not possible without a VPC endpoint).
Have you tried cloudflare workers? The networking gets taken care of for you, plus they are obscenely fast as they run on the edge closest to the client and use v8 isolates to drop 95th percentile latency from cold starts from ~1.5 seconds to about 300ms.
Hmm, cold starts for Workers depends on your script size, but should be around 10ms, never 300ms. Are you seeing 300ms? Is that actually Workers cold start time, or cold start for a larger application (e.g. that might include things like HTTP cache warm-up)?
I don’t think I explained it very well, sorry. I meant 300ms from an external load testing tool called wrk with 4 threads hitting it with 1,000 concurrent connections, including network round trip. This was only visible for the first run, after that I was seeing 99th percentile at ~90ms for the round trip. The worker I tested with is server rendering a react app. I’m away from the computer but I think the average speeds were ~20ms round trip. It’s crazy fast. I’m thrilled with it!
See https://forums.aws.amazon.com/thread.jspa?threadID=234959