Infrastructure: NAT gateway VMs for private subnets

[jeffsw]

Our RPKI archive crawler is running as a cron job on a VM instead of in an AWS Lambda. Here's why:

• Lambda needs access to EFS for adequate disk space to work with files > 500MB
• To access EFS, Lambda needs to run in a VPC
• Lambda-in-VPC will only have a private IP address. To access the Internet, or most AWS APIs like SQS, it needs some kind of NAT.

AWS sells a NAT Gateway but it costs $0.045/GByte data processing fee even when communicating with AWS endpoints in the same region. It also has a fixed cost of $0.045/hour per gateway. We'd need one gateway per AZ capable of executing the Lambda(s). Just the fixed cost is $32/mo per AZ, then add up all the data we want to download through it.

We can deploy & manage our own NAT gateway nearly as easily as provisioning the AWS service. This has the same requirements for us to create additional VPC Subnets and adjust their routing table. The main complexity is we have to create a type of VM with an interface in the VPC Public Subnet and also the Private Subnet then enable forwarding and NAT on the VM. I would rather do this for $4/mo per AZ than pay AWS $32/mo per AZ plus the ridiculous data processing fee.

For right now, we have a work-around with the cron job VM. I would like to migrate the few job(s) that will need to run on the cron VM over to Lambda.

[jeffsw]

Closing for now. The cron1 VM solution is fine.

Lambda has since gained a larger max /tmp filesystem knob, too. Up to 10 GB is available and it's cheap; the old 500 MB limit is what caused the need for EFS.