Announcing AWS Lambda support in Gloo Gateway
We are excited to launch the initial release of AWS Lambda in Gloo Gateway! AWS Lambda is a “function as a service” platform that can be used to build microservice architectures in your choice of programming language, where you only pay for what you use. Learn more about AWS Lambda on the AWS website.
AWS Lambda integration works seamlessly with other Gloo Gateway features such as filters and policies. This release also introduces new custom resources to help you manage multiple public cloud accounts and regions in multitenant Gloo environments, with AWS Lambda as the first supported implementation.
CloudProvider expresses attributes that define a security/tenancy boundary and informs Gloo how to access cloud resources. In this release, AWS is introduced as the first supported configuration.
Each CloudProvider represents a single AWS account and region along with invocation parameters for AWS Lambda. As new cloud providers are added, the CloudProvider custom resource will continue to be the cross section of one particular account/region for one particular cloud provider. This allows granular control over your cloud resources, and helps control what resources get shared across workspace boundaries in a multitenant environment. Here is an example CloudProvider YAML:
apiVersion: networking.gloo.solo.io/v2 kind: CloudProvider metadata: name: aws-team-a-us-west-1 namespace: my-app spec: aws: stsEndpoint: sts.amazonaws.com accountId: '111111111111' region: us-west-1 lambda: invokeRoleName: team-a-lambda-invoke
This configuration provides access to Lambda resources in AWS account “111111111111” in the us-west-1 region. The AWS role “arn:aws:iam::111111111111:role/team-a-lambda-invoke” will be used to invoke lambdas for this CloudProvider.
Note: If lambdas in the same account and region need different invoke roles, you can simply create one CloudProvider for each invoke role.
CloudResources represents resources owned by a CloudProvider that may be used as route destinations in Gloo Gateway. CloudResources are related to a single CloudProvider (and therefore a single account and region), and contain a list of AWS Lambdas that are available as routing destinations. Currently these resources must be created manually; in a future release CloudResources will be generated automatically via function discovery.
apiVersion: networking.gloo.solo.io/v2 kind: CloudResources metadata: name: aws-team-a-us-west-1 namespace: my-app spec: provider: aws-team-a-us-west-1 lambda: - logicalName: golang-echo-latest lambdaFunctionName: golang-echo qualifier: $LATEST
Lambda requests are routed via a new “CLOUD_PROVIDER” destination type on RouteTable. The destination spec includes a reference to a cloud provider, along with the logical name of the function to invoke.
Note: The function’s logical name must be a function that exists in a CloudResources custom resource associated with the referenced CloudProvider. If name collisions exist between functions in CloudResources associated with the same CloudProvider, the CloudProvider custom resource that created the conflict will have a status message to indicate the collision.
apiVersion: networking.gloo.solo.io/v2 kind: RouteTable metadata: name: aws-team-a namespace: my-app spec: hosts: - team-a.foo.com virtualGateways: - name: north-south-gw namespace: istio-gateways cluster: mgmt http: - name: lambda matchers: - uri: prefix: /lambda forwardTo: destinations: - ref: name: aws-team-a-us-west-1 namespace: my-app cluster: mgmt kind: CLOUD_PROVIDER function: logicalName: golang-echo-latest
Cloud-related resources participate in Gloo Platform Workspaces. CloudProviders are namespace-scoped and are “owned by” the Workspace associated with the namespace they are created in. CloudProviders may be referenced by RouteTables in the same workspace, or via workspace export/import. All CloudResources associated with a CloudProvider are implicitly exported/imported alongside the parent CloudProvider custom resource.
In addition to features provided by Workspaces, use of AWS resources can be limited by CloudProvider attributes at the route level by using a new RouteTable delegation filter. In the following example, the RouteTable “gateway” in the istio-gateways namespace delegates the “/lambda” prefix to another RouteTable “aws-team-a” in the my-app namespace. The gateway RouteTable will only delegate to RouteTables in the “app” workspace, and only include routes that satisfy the cloudProvider.aws.iamRoles filter.
--- apiVersion: networking.gloo.solo.io/v2 kind: RouteTable metadata: name: gateway namespace: istio-gateways spec: hosts: - '*' virtualGateways: - name: north-south-gw namespace: istio-gateways http: - name: lambda matchers: - uri: prefix: /lambda delegate: routeTables: - workspace: app allowedRoutes: cloudProvider: aws: iamRoles: - gloo-lambda-executor - .* --- apiVersion: networking.gloo.solo.io/v2 kind: RouteTable metadata: name: aws-team-a namespace: my-app spec: http: - name: lambda forwardTo: destinations: - ref: name: aws-provider namespace: devops cluster: mgmt kind: CLOUD_PROVIDER function: logicalName: golang-echo-latest
The allowedRoutes.cloudProvider filter allows restriction of AWS Lambdas by IAM role, account ID, region, or function name; regular expression matching is supported for IAM roles and function names.
Try it out!
The getting started documentation contains a detailed guide on how to deploy and test an AWS Lambda on Gloo Gateway. Give it a try! We’d love to hear feedback or answer questions in our community Slack.
This release brings AWS Lambda support to Gloo Gateway, along with robust controls to manage many cloud environments. Stay tuned for further enhancements such as automatic function discovery and discovery filtering!BACK TO BLOG