Setting up Lambda Managed Instances is not as simple as selecting a checkbox in the console. It requires a specific sequence of creating IAM roles, networking resources, and a Capacity Provider before you can even deploy code. Here is a step-by-step guide to getting it right.
Key Takeaways
The setup flow differs from standard Lambda in three main ways:
- Dual IAM Roles: You need an Operator Role (for the infrastructure) and an Execution Role (for the code).
- Sequence Matters: You must define the Capacity Provider with network details before creating the function.
- Publishing is Mandatory: You cannot run code on the
$LATESTalias; you must publish a version.
Step-by-Step Configuration
1. Create the IAM Roles
First, we need the Operator Role. This is new. It grants the Lambda service permission to manage EC2 resources (like ENIs and Instances) in your VPC. You will need to trust the `lambda.amazonaws.com` principal and attach the `AWSLambdaManagedEC2ResourceOperator` managed policy. Don’t forget your standard Execution Role (basic Lambda permissions) as well.
2. Configure Networking
You need a standard VPC setup. Create a dedicated security group for your Capacity Provider. This allows you to control traffic specifically for these instances. Ensure your subnets have routes to a NAT Gateway or VPC Endpoints if you need your function to talk to the internet or AWS services like S3.
3. Create the Capacity Provider
Use the AWS CLI to create the provider. This maps your network and infrastructure requirements. Note the `MaxVCpuCount`—this serves as your safety valve against runaway costs.
aws lambda create-capacity-provider \ --capacity-provider-name my-cp \ --vpc-config SubnetIds=[subnet-123],SecurityGroupIds=[sg-456] \ --permissions-config CapacityProviderOperatorRoleArn=arn:aws:iam::123456789012:role/MyOperatorRole \ --instance-requirements Architectures=[x86_64] \ --capacity-provider-scaling-config MaxVCpuCount=20
4. Deploy and Publish
When you create the function, you reference the Capacity Provider ARN. But here is the “gotcha” that trips up most engineers: It won’t run yet. You must execute aws lambda publish-version. Managed Instances only execute published versions of your code.
Conclusion
The barrier to entry is slightly higher here than with standard Lambda, but this stringent configuration ensures that your infrastructure is secure and bounded from the start.