This chapter covers Lambda Function URLs, a feature that allows you to invoke a Lambda function directly via an HTTPS endpoint without using API Gateway or other services. For the DVA-C02 exam, this is a relatively new but increasingly tested topic, appearing in roughly 5-8% of questions related to serverless application development. Understanding when to use Function URLs versus API Gateway, how to configure auth types (NONE vs AWS_IAM), and how to handle CORS and throttling is essential for passing the exam. We will dive deep into the mechanics, configuration, and exam traps.
Jump to a section
Imagine a busy train station where each passenger can have a personal locker. Normally, to access a locker, you need to go through a station agent who checks your ID, looks up your ticket, and then opens a specific locker for you. This is like a Lambda function behind API Gateway: the agent (API Gateway) handles authentication, rate limiting, and routing. Now, suppose the station installs a new type of locker: a "direct-access locker." This locker has a unique public URL printed on it. Anyone who knows that URL can approach the locker directly, without talking to the agent. The locker itself has a simple lock: it can be set to "open to anyone" (public) or "only open if you have a specific key" (AWS_IAM auth). When someone inserts a key that matches, the locker door swings open, and the person can place or retrieve a package (the HTTP request/response). There is no agent to throttle or log the interaction — the locker handles it directly. However, the locker is still part of the station's security system: if it's set to require a key, only passengers with the correct key (IAM credentials) can open it. The key is not a physical key but a digital signature generated by AWS Signature Version 4. This direct-access locker is perfect for quick, simple interactions where you don't need the full services of an agent, like a quick package drop-off. But you lose the agent's abilities: no custom domain, no API keys, no usage plans, no WAF integration. The locker is also exposed to the internet by default — if you leave it unlocked (public), anyone can access it. So you must carefully decide whether the convenience of direct access outweighs the need for advanced security and management features.
What is a Lambda Function URL?
A Lambda Function URL is a dedicated HTTPS endpoint for a Lambda function. It is a native feature of AWS Lambda, introduced in April 2022, that allows you to invoke a function directly via HTTP without needing an intermediary like API Gateway or Application Load Balancer. The URL is automatically generated when you create it, and it follows the format: https://<url-id>.lambda-url.<region>.on.aws/. The url-id is a unique 12-character alphanumeric string generated by AWS. Each function can have only one Function URL at a time, but you can delete and recreate it to get a new URL.
Why does it exist?
Before Function URLs, the only way to expose a Lambda function to HTTP requests was through API Gateway (REST or HTTP API), ALB, or a custom integration with CloudFront. These services add complexity, cost, and latency. Function URLs provide a simpler, cheaper alternative for use cases where you don't need the advanced features of API Gateway, such as request validation, throttling, API keys, usage plans, custom domains, or WAF integration. Common use cases include webhooks, simple APIs, and serverless backend for single-page applications.
How does it work internally?
When a client sends an HTTPS request to the Function URL, AWS Lambda's infrastructure receives it and performs the following steps:
TLS Termination: The request is terminated at the AWS edge using a TLS certificate managed by AWS. The certificate is for the *.lambda-url.<region>.on.aws domain. You cannot use a custom domain with Function URLs.
Authentication Check: If the auth type is AWS_IAM, the request must be signed using AWS Signature Version 4. The Lambda service verifies the signature using the caller's IAM credentials. If the signature is invalid or missing, the service returns a 403 Forbidden error. If auth type is NONE, no authentication is performed – any client can invoke the function.
Request Transformation: The incoming HTTP request is converted into a Lambda event object. The event structure is similar to the one used by API Gateway but with some differences. The event includes headers, query string parameters, the HTTP method, the path (which is always "/" because the URL does not support path routing – all requests go to the same function), the body (base64-encoded if binary), and request context (e.g., account ID, function ARN, request ID).
Invocation: Lambda invokes the function synchronously. The function must return a response within the function timeout (max 15 minutes). If the function returns an error, Lambda returns a 502 Bad Gateway or 500 Internal Server Error depending on the error type.
Response Transformation: The function's response is converted into an HTTP response. The response must be a JSON object with a statusCode, headers (optional), and body (string). If the body is binary, it must be base64-encoded and the isBase64Encoded field set to true. Lambda sends this response back to the client.
Key Components, Values, Defaults, and Timers
- URL Format: https://<url-id>.lambda-url.<region>.on.aws/. The url-id is unique per region and account.
- Auth Types:
- NONE: No authentication. Anyone with the URL can invoke the function.
- AWS_IAM: Requests must be signed with IAM credentials that have lambda:InvokeFunctionUrl permission.
- CORS: You can configure CORS headers (AllowOrigins, AllowMethods, AllowHeaders, ExposeHeaders, MaxAge, AllowCredentials) when creating the URL. These are returned in preflight OPTIONS responses automatically. If not configured, CORS is disabled.
- Throttling: Function URLs are subject to the same concurrency limits as the function. There is no separate throttling mechanism. The default reserved concurrency is 1,000 per region but can be increased. If the function is throttled, the request receives a 429 Too Many Requests response.
- Timeout: The function timeout applies (max 15 minutes). The URL itself has no separate timeout.
- Payload Size: The maximum request/response payload size is 6 MB (same as synchronous invocation).
- Headers: Certain headers are restricted and cannot be set in the response (e.g., Connection, Transfer-Encoding, Via, X-Forwarded-For).
- Logging: All invocations are logged in CloudWatch Logs if the function has logging enabled. There is no access logging at the URL level.
Configuration and Verification Commands
You can create a Function URL using the AWS CLI, SDK, or CloudFormation. Example CLI command to create a URL with AWS_IAM auth:
aws lambda create-function-url-config --function-name my-function --auth-type AWS_IAM --cors '{"AllowOrigins":["https://example.com"],"AllowMethods":["GET","POST"]}'To get the URL:
aws lambda get-function-url-config --function-name my-functionTo update auth type:
aws lambda update-function-url-config --function-name my-function --auth-type NONETo delete:
aws lambda delete-function-url-config --function-name my-functionIn CloudFormation:
MyFunctionUrl:
Type: AWS::Lambda::Url
Properties:
TargetFunctionArn: !GetAtt MyFunction.Arn
AuthType: AWS_IAM
Cors:
AllowOrigins:
- "https://example.com"
AllowMethods:
- "GET"
- "POST"Interaction with Related Technologies
API Gateway: The main alternative. API Gateway offers features like custom domains, usage plans, API keys, request validation, throttling, WAF integration, and path routing. Use API Gateway for complex APIs. Use Function URLs for simple, single-endpoint use cases.
ALB: Also supports Lambda as a target, but requires a VPC and offers path-based routing. Function URLs are simpler for internet-facing endpoints.
CloudFront: You can put CloudFront in front of a Function URL to add a custom domain, WAF, and caching. However, this adds complexity and cost. Native Function URLs do not support custom domains.
IAM: For AWS_IAM auth, you must attach a resource-based policy to the function that allows lambda:InvokeFunctionUrl. The principal must also have lambda:InvokeFunctionUrl permission in their IAM policy.
Exam-Relevant Details
Function URLs are synchronous only. Asynchronous invocation is not supported.
The URL itself is immutable after creation. To change the URL, you must delete and recreate it.
You can only have one Function URL per function.
There is no built-in throttling or rate limiting. Use reserved concurrency to control concurrency.
The function must be in the same account and region as the URL.
The $default stage is not applicable; there is no concept of stages.
The request event does not include requestContext.stage or requestContext.resourcePath.
The path is always /; you cannot have path parameters.
The function must return a valid JSON response with statusCode, headers (optional), and body (string). If the body is binary, isBase64Encoded must be true.
The maximum payload size is 6 MB (synchronous invocation limit).
The URL is publicly accessible if auth type is NONE. Be careful with sensitive data.
The URL is automatically deleted when the function is deleted.
You can use the Qualifier parameter to point the URL to a specific function alias or version. If not specified, it points to $LATEST.
Security Considerations
If you use AWS_IAM, ensure your IAM policies are scoped down. The caller needs lambda:InvokeFunctionUrl on the function ARN. Example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
}
]
}The function's resource-based policy must also allow the principal. By default, the function URL works without a resource-based policy if the caller has lambda:InvokeFunctionUrl permission. However, for cross-account access, you need a resource-based policy.
CORS is optional but important for browser-based clients. If CORS is not configured, browsers block cross-origin requests.
There is no built-in DDoS protection. Consider using CloudFront or AWS WAF if needed.
Common Use Cases
Webhooks from external services (e.g., GitHub, Stripe) that need a simple HTTPS endpoint.
Simple APIs for internal tools or small projects.
Serverless backend for a single-page application (SPA) where you control the client.
Prototype or MVP where you want to avoid API Gateway complexity.
Limitations
No custom domain.
No path-based routing (only one endpoint per function).
No request validation.
No throttling or usage plans.
No WAF integration.
No API keys.
No caching.
No integration with AWS X-Ray for tracing (though the function itself can use X-Ray).
Maximum 6 MB payload.
Synchronous only.
Comparison with API Gateway HTTP API
API Gateway HTTP API is the closest alternative. It also offers a simple, low-cost API endpoint. Key differences:
HTTP API supports custom domains, throttling, WAF, and request validation.
HTTP API supports multiple routes and methods.
HTTP API has a higher payload limit (10 MB).
HTTP API supports WebSocket.
HTTP API has a cost per request, while Function URLs have no additional cost beyond Lambda execution.
In summary, Function URLs are ideal for simple, single-endpoint use cases where you want to avoid the overhead and cost of API Gateway. For anything more complex, use API Gateway.
Create or Identify Lambda Function
First, you need an existing Lambda function. This function will be invoked when the URL is called. The function can be written in any supported runtime. Ensure the function has the necessary IAM role for logging or accessing other AWS services. The function must be in the same AWS account and region where you will create the URL. There is no specific permission required for the function to have a URL, but if you use AWS_IAM auth, you need to manage permissions for callers.
Create the Function URL Configuration
Use the AWS CLI, SDK, or CloudFormation to create the Function URL. You must specify the function name (or ARN) and the auth type (NONE or AWS_IAM). Optionally, you can configure CORS settings. The CLI command is `aws lambda create-function-url-config`. The response includes the Function URL and the auth type. The URL is automatically generated and cannot be customized. Once created, the URL is immediately active.
Configure IAM Permissions (if AWS_IAM)
If you chose AWS_IAM auth, you must grant the `lambda:InvokeFunctionUrl` permission to any principal that should be allowed to invoke the function via the URL. This is done via a resource-based policy on the function or an IAM policy on the caller. The resource-based policy can be attached using `aws lambda add-permission` with `Action: lambda:InvokeFunctionUrl`. The caller's IAM policy must also allow this action. Without proper permissions, the request receives a 403 error.
Client Sends HTTPS Request
The client sends an HTTPS request to the Function URL. If auth type is AWS_IAM, the request must be signed using AWS Signature Version 4. The signing process includes the HTTP method, headers, and body. The client must have the necessary IAM credentials (access key and secret key). If auth type is NONE, no signing is required. The URL is publicly accessible, so anyone can send requests.
Lambda Invocation and Response
AWS Lambda receives the request, authenticates it (if AWS_IAM), transforms it into a Lambda event, and invokes the function synchronously. The function executes and returns a response. The response must be a JSON object with `statusCode`, `headers` (optional), and `body` (string). If the body is binary, `isBase64Encoded` must be `true`. Lambda then converts this into an HTTP response and sends it back to the client. If the function returns an error, Lambda returns a 502 or 500 error.
Enterprise Scenario 1: Stripe Webhook Handler
A SaaS company needs to handle Stripe webhooks for payment events. They have a Lambda function that processes the event and updates the database. Using API Gateway would add cost and complexity for a single endpoint. They create a Function URL with auth type NONE (since Stripe signs the webhook payload with a secret, not AWS IAM). They configure the URL and provide it to Stripe. The function verifies the Stripe signature inside the code. They also configure CORS if needed (not for webhooks). The URL is simple and cost-effective. At scale, they handle thousands of webhooks per second. The main concern is throttling: if the function's reserved concurrency is too low, Stripe may receive 429 errors. They set reserved concurrency to 500 to handle peak load. Misconfiguration: if they accidentally set auth type to AWS_IAM, Stripe cannot invoke the function, and they get 403 errors. They also need to ensure the function logs errors to CloudWatch for debugging.
Enterprise Scenario 2: Internal Microservice for a Single-Page Application
A company builds an internal dashboard SPA that fetches data from a Lambda function. The SPA is hosted on a private corporate domain. They want to restrict access to employees only. They create a Function URL with auth type AWS_IAM. The SPA uses a Cognito Identity Pool to get temporary AWS credentials. The JavaScript client signs the request using the AWS SDK for JavaScript. The function returns JSON data. CORS is configured to allow the corporate domain. The URL is not exposed to the public internet. This setup is simpler than API Gateway because they don't need custom domains or API keys. At scale, they handle 1000 concurrent users. The main challenge is CORS: if the CORS configuration is missing or incorrect, the browser blocks the request. They also need to ensure the IAM role for the identity pool has the lambda:InvokeFunctionUrl permission. Misconfiguration: if they set auth type to NONE, anyone can access the function, which is a security risk.
Enterprise Scenario 3: Prototype for a New Feature
A startup is building a new feature and wants to quickly test an API endpoint. They use a Function URL to avoid the overhead of setting up API Gateway. They set auth type to NONE for simplicity. The function returns mock data. Once the prototype is validated, they plan to migrate to API Gateway for production. The URL is easy to share with frontend developers. The main risk is that the endpoint is publicly accessible and could be abused. They mitigate by using a unique, hard-to-guess URL and monitoring CloudWatch logs for unusual activity. They also set a low reserved concurrency to limit impact. Misconfiguration: they forget to delete the URL after moving to production, leaving an unsecured endpoint that could leak data.
DVA-C02 Exam Focus on Lambda Function URLs
The DVA-C02 exam tests your ability to choose the right service for exposing Lambda functions to HTTP requests. Specifically, Objective 1.1: "Develop code for serverless applications" includes understanding Lambda triggers and invocation modes. Function URLs are a relatively new feature, so they appear in questions that compare options for simple API endpoints.
Common Wrong Answers and Why Candidates Choose Them
"Use API Gateway REST API" – Many candidates default to API Gateway because it is the traditional choice. However, for a simple single-endpoint use case with no need for custom domains, throttling, or API keys, a Function URL is simpler and cheaper. The exam often presents a scenario where the requirement is minimal, and the correct answer is Function URL.
"Use ALB" – ALB is another option, but it requires a VPC and is more complex. Candidates might choose ALB because they think it provides better security, but for a simple internet-facing endpoint, Function URL is more appropriate.
"Use Lambda with a custom domain via Route 53" – Function URLs do not support custom domains. Candidates might think they can use Route 53 to point a custom domain to the URL, but that is not possible because the URL is not a fixed IP and AWS does not allow CNAME at the root. The correct approach is to use CloudFront with a custom domain in front of the Function URL.
"Function URL supports asynchronous invocation" – This is false. Function URLs only support synchronous invocation. Candidates may confuse it with Lambda's async invocation from other services.
Specific Numbers, Values, and Terms on the Exam
6 MB: Maximum payload size for request/response.
15 minutes: Maximum function timeout.
Auth types: NONE and AWS_IAM.
URL format: https://<url-id>.lambda-url.<region>.on.aws/.
Only one URL per function.
No stages, no path routing.
CORS configuration is optional.
Throttling is based on function concurrency.
Edge Cases and Exceptions
Cross-account access: If you need to allow another account to invoke the function via URL, you must use AWS_IAM auth and add a resource-based policy allowing the other account's principal. The URL itself is still in your account.
Using with aliases: You can specify a qualifier (alias or version) when creating the URL. If you update the alias, the URL automatically points to the new version.
Deleting the function: The URL is deleted automatically.
Changing auth type: You can update the auth type without deleting the URL.
CORS preflight: Lambda automatically handles OPTIONS requests if CORS is configured. You do not need to write code for that.
How to Eliminate Wrong Answers
If the scenario mentions a custom domain, eliminate Function URL.
If the scenario requires path-based routing (e.g., /users and /orders), eliminate Function URL.
If the scenario requires request validation or throttling, eliminate Function URL.
If the scenario requires API keys or usage plans, eliminate Function URL.
If the scenario requires a simple, single-endpoint API with minimal cost, choose Function URL.
If the scenario requires IAM auth but no other API Gateway features, Function URL is a valid choice.
If the scenario mentions WebSocket, eliminate Function URL.
Remember: Function URLs are the simplest option. The exam tests your ability to recognize when a simple solution is sufficient versus when you need the complexity of API Gateway.
Lambda Function URLs provide a simple HTTPS endpoint for synchronous invocation of a Lambda function.
Auth types: NONE (public) or AWS_IAM (requires Signature V4 signing).
Only one URL per function; URL format: https://<url-id>.lambda-url.<region>.on.aws/.
No custom domains, no path routing, no stages, no API keys, no throttling.
Maximum payload size is 6 MB, function timeout max 15 minutes.
CORS can be configured; OPTIONS requests are handled automatically.
Use for simple webhooks, single-endpoint APIs, or prototypes; use API Gateway for complex APIs.
The URL is deleted when the function is deleted.
These come up on the exam all the time. Here's how to tell them apart.
Lambda Function URL
No additional cost beyond Lambda execution
Only one endpoint per function
No custom domain support
No built-in throttling
Maximum payload 6 MB
API Gateway HTTP API
Cost per request (varies by region)
Multiple routes and methods
Supports custom domains
Built-in throttling and rate limiting
Maximum payload 10 MB
Mistake
Lambda Function URLs support custom domains like api.example.com.
Correct
Function URLs do not support custom domains. The URL is fixed to the `*.lambda-url.<region>.on.aws` domain. To use a custom domain, you must put CloudFront or API Gateway in front.
Mistake
You can have multiple Function URLs for the same Lambda function.
Correct
Each Lambda function can have only one Function URL at a time. If you need multiple endpoints, consider API Gateway or multiple functions.
Mistake
Function URLs support both synchronous and asynchronous invocation.
Correct
Function URLs only support synchronous invocation. The client waits for the response. Asynchronous invocation is not available.
Mistake
Function URLs have built-in throttling and rate limiting.
Correct
No. Throttling is based solely on the function's reserved concurrency. There is no separate throttling mechanism. If the function is at max concurrency, new requests receive a 429 error.
Mistake
Function URLs require a VPC or private network access.
Correct
Function URLs are always public internet endpoints. They do not require a VPC. If you need private access, use API Gateway with a VPC endpoint or ALB.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. Lambda Function URLs do not support custom domains. The URL is always in the format `https://<url-id>.lambda-url.<region>.on.aws/`. If you need a custom domain, you must place CloudFront or API Gateway in front of the function.
Set the auth type to AWS_IAM. Then, only requests signed with valid IAM credentials that have the `lambda:InvokeFunctionUrl` permission will succeed. You can also use a resource-based policy to allow specific principals. For public access, use auth type NONE, but be aware that anyone with the URL can invoke the function.
The maximum payload size is 6 MB for both request and response. This is the same limit as synchronous Lambda invocations. If you need larger payloads, consider using API Gateway (10 MB) or S3 presigned URLs.
No. Each Lambda function can have only one Function URL at a time. If you need multiple endpoints, you must create multiple functions or use API Gateway with multiple routes pointing to the same function.
No. Function URLs only support synchronous invocation. The client sends a request and waits for the response. For asynchronous invocation, you would need to use an event source like S3 or SNS, or call the Lambda API directly with `InvocationType: Event`.
You can configure CORS when creating or updating the Function URL via the AWS CLI, SDK, or CloudFormation. Specify allowed origins, methods, headers, etc. Lambda automatically handles OPTIONS preflight requests based on your configuration. You do not need to write code for CORS.
The Function URL is automatically deleted when the Lambda function is deleted. You do not need to delete it separately. If you recreate the function with the same name, you will get a new URL.
You've just covered Lambda Function URLs — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?