Welcome back to our series on things to know about AWS Lambda! This time, we’ll be talking about the hidden concerns of network resources in Lambda functions. There are performance and cost implications in using lots of network resources in your Lambda app — and the last thing you want is one of these to sneak up on you!

ENI, VPC, and Lambda

Virtual Private Cloud (VPC) and Elastic Network Interfaces (ENI) can make deploying and scaling your Lambda applications very easy! However, there are some things to keep in mind when using them in tandem:

ENIs can be exhausted with too many Lambda functions, or concurrent invocations if using VPC as well — Amazon’s documentation on VPCs gives more detail as to how to be ready for lots of functions or concurrent invocations. Just be sure to keep an eye on your peak usage and Lambda-to-Lambda dependencies when using an AWS VPC.

Another common problem that can exhaust ENIs involves IAM permissions — if a Lambda Execution role cannot detach ENIs, it will leave them running even after the Lambda has executed. Make sure the role executing your Lambdas has permission to detach ENIs.

ENI attachment time can take seconds in a cold start — if you have a function that is not called regularly, but attaches to the ENI, this can take seconds every time the function is run. This is also something to keep in mind for functions that have concurrent invocation spikes, as these also cause cold starts.

Every Lambda function in VPC that needs outside internet access needs a NAT — This can drive up costs if many Lambda functions in your app require outside APIs, or that are called from outside the VPN it exits in. You can learn more about the pricing in Amazon’s NAT documentation

Implementation restrictions with network functions in Lambda

You cannot listen on sockets in a Lambda — This makes a lot of sense, as it would be expensive and against the way serverless works to leave a function running for the life of a socket!

You cannot use NET_RAW in Lambda Functions — this can lead to a few untenable use cases — the most base-layer is that you cannot ping!