mirror of
https://github.com/status-im/consul.git
synced 2025-01-17 17:22:17 +00:00
166d7a39e8
Remove outdated usage of "Consul Connect" instead of Consul service mesh. The connect subsystem in Consul provides Consul's service mesh capabilities. However, the term "Consul Connect" should not be used as an alternative to the name "Consul service mesh".
82 lines
3.5 KiB
Plaintext
82 lines
3.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Invoke AWS Lambda Functions
|
|
description: >-
|
|
You can invoke an Amazon Web Services Lambda function in your Consul service mesh by configuring terminating gateways or sidecar proxies. Learn how to declare a registered function as an upstream and why we recommend using terminating gateways with Lambda.
|
|
---
|
|
|
|
# Invoke Lambda Functions from Mesh Services
|
|
|
|
This topic describes how to invoke AWS Lambda functions from the Consul service mesh.
|
|
|
|
## Overview
|
|
|
|
You can invoke Lambda functions from the Consul service mesh through terminating gateways (recommended) or directly from service mesh proxies.
|
|
|
|
|
|
### Terminating Gateway
|
|
|
|
We recommend invoking Lambda functions through terminating gateways. This method supports cross-datacenter communication, transparent
|
|
proxies, intentions, and all other Consul service mesh features.
|
|
|
|
The terminating gateway must have [the appropriate IAM permissions](/consul/docs/lambda/registration#configure-iam-permissions-for-envoy)
|
|
to invoke the function.
|
|
|
|
The following diagram shows the invocation procedure:
|
|
|
|
<ImageConfig width={700}>
|
|
|
|
![Terminating Gateway to Lambda](/img/terminating_gateway_to_lambda.svg)
|
|
|
|
</ImageConfig>
|
|
|
|
1. Make an HTTP request to the local service mesh proxy.
|
|
1. The service mesh proxy forwards the request to the terminating gateway.
|
|
1. The terminating gateway invokes the function.
|
|
|
|
### Service Mesh Proxy
|
|
|
|
You can invoke Lambda functions directly from a service's mesh sidecar proxy.
|
|
This method has the following limitations:
|
|
- Intentions are unsupported. Consul enforces intentions by validating the client certificates presented when a connection is received. Lambda does not support client certificate validation, which prevents Consul from supporting intentions using this method.
|
|
- Transparent proxies are unsupported. This is because Lambda services are not
|
|
registered to a proxy.
|
|
|
|
This method is secure because AWS IAM permissions is required to invoke Lambda functions. Additionally, all communication is encrypted with Amazon TLS when invoking Lambda resources.
|
|
|
|
The Envoy sidecar proxy must have the correct AWS IAM credentials to invoke the function. You can define the credentials in environment variables, EC2 metadata, or ECS task metadata.
|
|
|
|
The following diagram shows the invocation procedure:
|
|
|
|
<ImageConfig width={400}>
|
|
|
|
![Service Mesh Proxy to Lambda](/img/connect_proxy_to_lambda.svg)
|
|
|
|
</ImageConfig>
|
|
|
|
1. Make an HTTP request to the local service mesh proxy.
|
|
2. The service mesh proxy invokes the Lambda.
|
|
|
|
## Invoke a Lambda Function
|
|
Before you can invoke a Lambda function, register the service used to invoke
|
|
the Lambda function and the service running in Lambda with
|
|
Consul (refer to [registration](/consul/docs/lambda/registration) for
|
|
instructions). The service used to invoke the function must be deployed to the
|
|
service mesh.
|
|
|
|
1. Update the invoking service to use the Lambda service as an upstream. In the following example, the `destination_name` for the invoking service (`api`) points to a Lambda service called `authentication`:
|
|
```hcl
|
|
upstreams {
|
|
local_bind_port = 2345
|
|
destination_name = "authentication"
|
|
}
|
|
```
|
|
1. Issue the `consul services register` command to store the configuration:
|
|
```shell-session
|
|
$ consul services register api-sidecar-proxy.hcl
|
|
```
|
|
1. Call the upstream service to invoke the Lambda function. In the following example, the `api` service invokes the `authentication` service at `localhost:2345`:
|
|
```shell-session
|
|
$ curl https://localhost:2345
|
|
```
|