Now Available: Lambda Tenant Isolation Mode

Yesterday, AWS announced tenant isolation mode for Lambda, enabling strict isolation of request processing for individual tenants in multi-tenant applications. Today, we're releasing support for this feature in Proxylity UDP Gateway's Lambda destinations. We'll try to do better next time.

What is Tenant Isolation Mode?

Lambda's new tenant isolation mode extends Lambda's isolation boundary from a single function to each tenant invoking that function. When enabled, Lambda ensures that execution environments associated with a particular tenant are never used to serve requests from other tenants. This simplifies building multi-tenant SaaS applications with strict isolation requirements—no more maintaining dedicated Lambda functions per tenant or custom routing logic.

How Proxylity Supports It

When configuring a Lambda destination in UDP Gateway, you can now specify a tenant identifier in the destination's arguments. Proxylity will include this identifier when invoking your Lambda function, ensuring proper tenant isolation at the execution environment level.

Configuration example (JSON):

{
  "DestinationArn": "arn:aws:lambda:us-east-1:123456789012:function:ProcessDeviceData",
  "Arguments": {
    "TenantId": "customer-123"
  }
}

Lambda will route all invocations with the same tenant ID to isolated execution environments, ensuring that execution environments for one tenant are never reused for another.

For multi-tenant scenarios where different packets contain tenant identifiers, you can extract the tenant ID dynamically from packet content using TenantIdExpression:

Dynamic tenant ID example (JSON):

{
  "DestinationArn": "arn:aws:lambda:us-east-1:123456789012:function:ProcessDeviceData",
  "Arguments": {
    "TenantIdExpression": "[0:8]",
    "TenantIdFormatter": "hex"
  }
}

This extracts the first 8 bytes of each packet as the tenant identifier, formatted as hexadecimal. Packets with different tenant IDs will be routed to separate execution environments automatically.

When to Use Tenant Isolation

Tenant isolation mode is ideal for SaaS platforms and multi-tenant applications that have strict security or compliance requirements around tenant data separation:

• SaaS IoT platforms - Process sensor data from different customers with guaranteed isolation
• Network monitoring services - Analyze syslog or NetFlow data with per-tenant compute isolation
• Gaming infrastructure - Handle game state updates for different game instances or studios
• Telecommunications - Process RADIUS or Diameter traffic with carrier-grade isolation

Configuration Details

To enable tenant isolation mode, use the TenantId or TenantIdExpression arguments in your Lambda destination configuration. The resulting tenant identifier is included with each Lambda invocation, and Lambda uses it to maintain strict isolation boundaries. When TenantIdExpression is used, the binary range expression is evaluated for each packet and the result is used as the tenant identifier, allowing the isolation environment to be dynamically determined based on packet content.

CloudFormation example (static tenant identifier):

Properties:
    DestinationArn: !GetAtt ProcessorFunction.Arn
    Arguments:
      TenantId: customer-123
    BatchingConfiguration:
      MaxBatchSize: 100
      MaxBatchWindowSeconds: 5

Availability

Lambda tenant isolation mode support is available today in Proxylity UDP Gateway across all AWS Regions where both Proxylity and Lambda tenant isolation mode are supported. For Lambda tenant isolation mode regional availability, see the AWS announcement.

For more information on configuring Lambda destinations, see the Lambda destination documentation.