AWS Lambda Container

Aembit provides several different deployment options which you can use to deploy Aembit Edge Components in your environment. Each of these options provides similar features and functionality; however, the steps for each of these options are specific to the deployment option you select.

This page describes the process to deploy Aembit Edge components to an AWS Lambda container environment.

Deploy Aembit Edge Components

Topology

Aembit Agent Proxies for AWS Lambda containers are deployed within Lambda Containers. They are packaged as AWS Lambda Extensions and are automatically launched by the AWS Lambda Runtime.

The deployed Lambda function must connect to an Amazon Virtual Private Cloud (VPC) with access to both the Agent Controller and the Internet.

VPC

For each AWS region hosting your Lambda containers, you must create a VPC (or use an existing one). All Lambda containers in each AWS account/region that include Aembit components must connect to a corresponding VPC in the same region.

This VPC must provide:

• Access to the Agent Controller.
• Access to the Internet.

Agent Controllers can either operate directly within this VPC or be located elsewhere, but accessible from this VPC.

AWS Lambda containers are automatically placed within a VPC’s private network. To enable Internet access, traffic from the VPC must pass through a NAT located in the public network. For more information, consult the Connecting outbound networking to resources in a VPC documentation.

Agent Controller

Deploy the Agent Controller either on a Virtual Machine or within your Kubernetes Cluster.

Lambda Container Packaging

The Aembit Edge Components are distributed as part of the Aembit AWS Lambda Extension. All Lambda extensions are incorporated into Lambda containers at build time.

Include the following commands in your Dockerfile to add the extension to your AWS Lambda container image:

COPY --from=aembit/aembit_aws_lambda_extension:<version> /extension/ /opt/extensions

Remember to replace <version> with the current version available on DockerHub.

Lambda Container Deployment

Deploy or update your Lambda container:

• Specify additional environment variables for your Lambda function.

For Agent Controllers with TLS configured:

AEMBIT_AGENT_CONTROLLER=https://<AGENT CONTROLLER HOST>:5443

For Agent Controllers without TLS:

AEMBIT_AGENT_CONTROLLER=http://<AGENT CONTROLLER HOST>:5000

• Specify http_proxy and/or https_proxy environment variables to direct HTTP and/or HTTPS traffic through Aembit:

http_proxy=http://localhost:8000
https_proxy=http://localhost:8000

Additional environment variables can be configured to set the Agent Proxy log level, among other settings. Please refer to the list of available Agent Proxy environment variables.

Client Workload identification

The most convenient way to identify Lambda container Client Workloads is using AWS Lambda ARN Client Workload Identification.

Note

Please note that if you plan to work with a specific version of a Lambda function or aliases (as opposed to the latest version), you will need to use Qualified ARNs. For more details, refer to the Client Workload Identification article linked above.

Alternatively, you can use Aembit Client ID by setting the CLIENT_WORKLOAD_ID environment variable.

Trust Providers

The only Trust Provider available for Lambda containers Client Workloads is AWS Role Trust Provider.

Please refer to the Lambda Container Support section for more details about the configuration.

Resource Set Deployment

To deploy a Resource Set using an AWS Lambda Container, you need to specify the AEMBIT_RESOURCE_SET_ID environment variable in your Client Workload. This configuration enables the Agent Proxy to support Client Workloads in this Resource Set.

Lambda Container lifecycle and Workload Events

Lambda Containers are paused immediately after the completion of the Lambda function. As a result, workload events may not have enough time to be sent by the Aembit Agent Proxy to Aembit Cloud.

These events will be retained by the Aembit Agent Proxy and sent either at the next Lambda function invocation or during the container shutdown process.

As a result, it may take longer than in other environments for these workload events to become available in your tenant.

Configuring TLS Decrypt

To utilize TLS decryption in your AWS Lambda container, download and trust the tenant certificate within your AWS Lambda container. Considering that the Lambda container’s filesystem is configured to be read-only, Aembit recommends including this step in your build pipeline.

Refer to the Configure TLS Decrypt page for comprehensive instructions on configuring TLS Decrypt.

Performance

The startup and shutdown times for the Aembit Agent Proxy normally take several seconds, which results in an increase in the execution time of your Lambda function by several seconds.

Limitations

Aembit currently supports only the following protocols in AWS Lambda container environments:

• HTTP
• HTTPS
• Snowflake

Supported phases

The Aembit AWS Lambda Extension supports Client Workload identification and credential injection during the following Lambda container lifecycle phases:

• INIT phase Supported for internal extensions, function inits, and external extensions executed after the Aembit extension.
• INVOKE phase Fully supported.