Custom Domains for Lambda Function URLs

AWS has recently released a breakthrough feature for Lambda: Function URLs. You tick the box, you’re given an URL, and you can then invoke your Lambda function just by making requests to that URL. I think that for the right use-cases, it’s a great addition, especially given the complexity of setting up an API Gateway without using third-party Terraform modules, where you’d have to worry about IAM permissions, logs, CORS, etc.

Lambda URLs indeed have the following advantages:

  • They’re free (API Gateways make you pay per request)
  • They’re (very) easy to use
  • They don’t have a time limit other than your Lambda’s (which means requests can take up to 15 minutes)

But there’s a slight inconvenience: as users noticed, you’re given a long, meaningless URL that can’t be customized nor changed.

The Solution

Annoyed users, rejoice! You can front your Lambda with CloudFront using your own beautiful domain name. That’s arguably easier than setting up an API Gateway, bumps the runtime limit from 30 to 60 seconds1 and you get to use the included customizable caching, among other things. You lose some of the benefits I’ve outlined before, though.

Lambda URL with a custom domain

To do that, you’ll need:

  • Your Lambda function and its Function URL, in whichever region you want
  • An ACM certificate for your domain or subdomain in the us-east-1 region
  • A CloudFront distribution, with Host header forwarding disabled
  • Route53 ALIAS A and AAAA records pointing to your distribution (or a third-party DNS CNAME)

If you’ve already set up CloudFront distributions before, the most tricky part might be disabling Host header forwarding: you can’t ignore specific client headers in CloudFront, so you have to whitelist those that you do want to send to Lambda in your Origin Request Policy, or send none at all. For example:

CloudFront Origin Request Policy configuration

  1. And even more if you ask AWS Support for a quota increase. ↩︎