consul/website/content/docs/lambda/invocation.mdx

---
layout: docs
page_title: Invoke AWS Lambda Functions
description: >-
  You can invoke an Amazon Web Services Lambda function in your Consul service mesh by configuring terminating gateways or sidecar proxies. Learn how to declare a registered function as an upstream and why we recommend using terminating gateways with Lambda.
---

# Invoke Lambda Functions from Mesh Services

This topic describes how to invoke AWS Lambda functions from the Consul service mesh.

## Overview

You can invoke Lambda functions from the Consul service mesh through terminating gateways (recommended) or directly from service mesh proxies.


### Terminating Gateway

We recommend invoking Lambda functions through terminating gateways. This method supports cross-datacenter communication, transparent
proxies, intentions, and all other Consul service mesh features.

The terminating gateway must have [the appropriate IAM permissions](/consul/docs/lambda/registration#configure-iam-permissions-for-envoy)
to invoke the function.

The following diagram shows the invocation procedure:

<ImageConfig width={700}>

![Terminating Gateway to Lambda](/img/terminating_gateway_to_lambda.svg)

</ImageConfig>

1. Make an HTTP request to the local service mesh proxy.
1. The service mesh proxy forwards the request to the terminating gateway.
1. The terminating gateway invokes the function.

### Service Mesh Proxy

You can invoke Lambda functions directly from a service's mesh sidecar proxy.
This method has the following limitations:
- Intentions are unsupported. Consul enforces intentions by validating the client certificates presented when a connection is received. Lambda does not support client certificate validation, which prevents Consul from supporting intentions using this method.
- Transparent proxies are unsupported. This is because Lambda services are not
  registered to a proxy.

This method is secure because AWS IAM permissions is required to invoke Lambda functions. Additionally, all communication is encrypted with Amazon TLS when invoking Lambda resources. 

The Envoy sidecar proxy must have the correct AWS IAM credentials to invoke the function. You can define the credentials in environment variables, EC2 metadata, or ECS task metadata.

The following diagram shows the invocation procedure:

<ImageConfig width={400}>

![Service Mesh Proxy to Lambda](/img/connect_proxy_to_lambda.svg)

</ImageConfig>

1. Make an HTTP request to the local service mesh proxy.
2. The service mesh proxy invokes the Lambda.

## Invoke a Lambda Function
Before you can invoke a Lambda function, register the service used to invoke
the Lambda function and the service running in Lambda with
Consul (refer to [registration](/consul/docs/lambda/registration) for
instructions). The service used to invoke the function must be deployed to the
service mesh.

1. Update the invoking service to use the Lambda service as an upstream. In the following example, the `destination_name` for the invoking service (`api`) points to a Lambda service called `authentication`:
    ```hcl
    upstreams {
      local_bind_port = 2345
      destination_name = "authentication"
    }
    ```
1. Issue the `consul services register` command to store the configuration:
    ```shell-session
     $ consul services register api-sidecar-proxy.hcl
    ```
1. Call the upstream service to invoke the Lambda function. In the following example, the `api` service invokes the `authentication` service at `localhost:2345`:
    ```shell-session
     $ curl https://localhost:2345
    ```