Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER

Announcing AWS Lambda support in Gloo Gateway

Aidan Carson,   Ben Lilley | January 24, 2023

We are excited to launch the initial release of AWS Lambda in Gloo Gateway! AWS Lambda is a “function as a service” platform that can be used to build microservice architectures in your choice of programming language, where you only pay for what you use. Learn more about AWS Lambda on the AWS website.

AWS Lambda integration works seamlessly with other Gloo Gateway features such as filters and policies. This release also introduces new custom resources to help you manage multiple public cloud accounts and regions in multitenant Gloo environments, with AWS Lambda as the first supported implementation.

Resource overview

CloudProvider

CloudProvider expresses attributes that define a security/tenancy boundary and informs Gloo how to access cloud resources. In this release, AWS is introduced as the first supported configuration.

Each CloudProvider represents a single AWS account and region along with invocation parameters for AWS Lambda. As new cloud providers are added, the CloudProvider custom resource will continue to be the cross section of one particular account/region for one particular cloud provider. This allows granular control over your cloud resources, and helps control what resources get shared across workspace boundaries in a multitenant environment. Here is an example CloudProvider YAML:

apiVersion: networking.gloo.solo.io/v2
kind: CloudProvider
metadata:
  name: aws-team-a-us-west-1
  namespace: my-app
spec:
  aws:
    stsEndpoint: sts.amazonaws.com
    accountId: '111111111111'
    region: us-west-1
    lambda:
      invokeRoleName: team-a-lambda-invoke

This configuration provides access to Lambda resources in AWS account “111111111111” in the us-west-1 region. The AWS role “arn:aws:iam::111111111111:role/team-a-lambda-invoke” will be used to invoke lambdas for this CloudProvider.

Note: If lambdas in the same account and region need different invoke roles, you can simply create one CloudProvider for each invoke role.

CloudResources

CloudResources represents resources owned by a CloudProvider that may be used as route destinations in Gloo Gateway. CloudResources are related to a single CloudProvider (and therefore a single account and region), and contain a list of AWS Lambdas that are available as routing destinations. Currently these resources must be created manually; in a future release CloudResources will be generated automatically via function discovery.

apiVersion: networking.gloo.solo.io/v2
kind: CloudResources
metadata:
  name: aws-team-a-us-west-1
  namespace: my-app
spec:
  provider: aws-team-a-us-west-1
  lambda:
    - logicalName: golang-echo-latest
      lambdaFunctionName: golang-echo
      qualifier: $LATEST

Click here or more information on CloudProvider and CloudResources.

Routing

Lambda requests are routed via a new “CLOUD_PROVIDER” destination type on RouteTable. The destination spec includes a reference to a cloud provider, along with the logical name of the function to invoke.

Note: The function’s logical name must be a function that exists in a CloudResources custom resource associated with the referenced CloudProvider. If name collisions exist between functions in CloudResources associated with the same CloudProvider, the CloudProvider custom resource that created the conflict will have a status message to indicate the collision.

apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
  name: aws-team-a
  namespace: my-app
spec:
  hosts:
    - team-a.foo.com
  virtualGateways:
    - name: north-south-gw
      namespace: istio-gateways
      cluster: mgmt
  http:
    - name: lambda
      matchers:
        - uri:
            prefix: /lambda
      forwardTo:
        destinations:
          - ref:
              name: aws-team-a-us-west-1
              namespace: my-app
              cluster: mgmt
            kind: CLOUD_PROVIDER
            function:
              logicalName: golang-echo-latest

Click here for more details on routing configuration.

Multitenancy controls

Cloud-related resources participate in Gloo Platform Workspaces. CloudProviders are namespace-scoped and are “owned by” the Workspace associated with the namespace they are created in. CloudProviders may be referenced by RouteTables in the same workspace, or via workspace export/import. All CloudResources associated with a CloudProvider are implicitly exported/imported alongside the parent CloudProvider custom resource.

In addition to features provided by Workspaces, use of AWS resources can be limited by CloudProvider attributes at the route level by using a new RouteTable delegation filter. In the following example, the RouteTable “gateway” in the istio-gateways namespace delegates the “/lambda” prefix to another RouteTable “aws-team-a” in the my-app namespace. The gateway RouteTable will only delegate to RouteTables in the “app” workspace, and only include routes that satisfy the cloudProvider.aws.iamRoles filter.

---
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
  name: gateway
  namespace: istio-gateways
spec:
  hosts:
    - '*'
  virtualGateways:
    - name: north-south-gw
      namespace: istio-gateways
  http:
    - name: lambda
      matchers:
        - uri:
            prefix: /lambda
          delegate:
            routeTables:
              - workspace: app
            allowedRoutes:
              cloudProvider:
                aws:
                  iamRoles:
                    - gloo-lambda-executor
                    - .*
---
apiVersion: networking.gloo.solo.io/v2
kind: RouteTable
metadata:
  name: aws-team-a
  namespace: my-app
spec:
  http:
    - name: lambda
      forwardTo:
        destinations:
          - ref:
              name: aws-provider
              namespace: devops
              cluster: mgmt
            kind: CLOUD_PROVIDER
            function:
              logicalName: golang-echo-latest

The allowedRoutes.cloudProvider filter allows restriction of AWS Lambdas by IAM role, account ID, region, or function name; regular expression matching is supported for IAM roles and function names.

Try it out!

The getting started documentation contains a detailed guide on how to deploy and test an AWS Lambda on Gloo Gateway. Give it a try! We’d love to hear feedback or answer questions in our community Slack.

What’s next?

This release brings AWS Lambda support to Gloo Gateway, along with robust controls to manage many cloud environments. Stay tuned for further enhancements such as automatic function discovery and discovery filtering!

BACK TO BLOG