search

flaviostutz / cdk-practical-constructs

A collection of CDK constructs for making the development of AWS based applications easier and safer in a practical way
MIT License
5 stars 6 forks source link

Don't create a default Security Group #44

Closed erik-am closed 3 weeks ago

erik-am commented 3 weeks ago

The BaseNodeJsFunction creates a new, default security group for each lambda.

This is actually not a recommended practice, because AWS will create a new ENI and use up an IP address in the subnet, for each unique combination of subnet + security group. So attaching a new, unique security group to each new lambda, means that each lambda needs its own ENI and IP address and you will hit limits at some point.

image

See https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/ for more details on how this works.

Feature request

I would remove the default security group option completely.

Or at the very least, making it controllable with a boolean. And set the default to false.

flaviostutz commented 3 weeks ago

Great article! Thanks for that!