aws · mergify · Aug 11, 2020 · Aug 5, 2020 · Aug 6, 2020 · Aug 10, 2020
diff --git a/packages/@aws-cdk/aws-lambda/lib/function.ts b/packages/@aws-cdk/aws-lambda/lib/function.ts
@@ -824,17 +824,7 @@ export class Function extends FunctionBase {
       }
     }
 
-    // Pick subnets, make sure they're not Public. Routing through an IGW
-    // won't work because the ENIs don't get a Public IP.
-    // Why are we not simply forcing vpcSubnets? Because you might still be choosing
-    // Isolated networks or selecting among 2 sets of Private subnets by name.
     const { subnetIds } = props.vpc.selectSubnets(props.vpcSubnets);
-    const publicSubnetIds = new Set(props.vpc.publicSubnets.map(s => s.subnetId));
-    for (const subnetId of subnetIds) {
-      if (publicSubnetIds.has(subnetId)) {
-        throw new Error('Not possible to place Lambda Functions in a Public subnet');
-      }
-    }
 
     // List can't be empty here, if we got this far you intended to put your Lambda
     // in subnets. We're going to guarantee that we get the nice error message by

diff --git a/packages/@aws-cdk/aws-lambda/test/test.vpc-lambda.ts b/packages/@aws-cdk/aws-lambda/test/test.vpc-lambda.ts
@@ -212,14 +212,29 @@ export = {
     test.done();
   },
 
-  'picking public subnets is not allowed'(test: Test) {
+  'picking any subnet type is allowed'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();
-    const vpc = new ec2.Vpc(stack, 'VPC');
+    const vpc = new ec2.Vpc(stack, 'VPC', {
+      subnetConfiguration: [
+        {
+          name: 'Public',
+          subnetType: ec2.SubnetType.PUBLIC,
+        },
+        {
+          name: 'Private',
+          subnetType: ec2.SubnetType.PRIVATE,
+        },
+        {
+          name: 'Isolated',
+          subnetType: ec2.SubnetType.ISOLATED,
+        },
+      ],
+    });
 
     // WHEN
-    test.throws(() => {
-      new lambda.Function(stack, 'Lambda', {
+    test.doesNotThrow(() => {
+      new lambda.Function(stack, 'PublicLambda', {
         code: new lambda.InlineCode('foo'),
         handler: 'index.handler',
         runtime: lambda.Runtime.NODEJS_10_X,
@@ -228,6 +243,25 @@ export = {
       });
     });
 
+    test.doesNotThrow(() => {
+      new lambda.Function(stack, 'PrivateLambda', {
+        code: new lambda.InlineCode('foo'),
+        handler: 'index.handler',
+        runtime: lambda.Runtime.NODEJS_10_X,
+        vpc,
+        vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE },
+      });
+    });
+
+    test.doesNotThrow(() => {
+      new lambda.Function(stack, 'IsolatedLambda', {
+        code: new lambda.InlineCode('foo'),
+        handler: 'index.handler',
+        runtime: lambda.Runtime.NODEJS_10_X,
+        vpc,
+        vpcSubnets: { subnetType: ec2.SubnetType.ISOLATED },
+      });
+    });
     test.done();
   },
 };