AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. You upload your function code, define what triggers it, and AWS handles everything else — server provisioning, patching, scaling, high availability, and monitoring. Your code runs only when triggered and you pay only for the compute time consumed.

Lambda was released in 2014 and fundamentally changed how applications are built on AWS. Instead of running servers 24/7 waiting for requests, you write small, focused functions that execute only when needed — transforming fixed infrastructure costs into variable costs proportional to actual usage.

"Serverless" doesn't mean no servers — it means you don't think about servers. AWS runs your code on servers they manage, but the infrastructure is completely abstracted away. You focus solely on business logic.

Aspect	EC2 (Server-based)	Lambda (Serverless)
Provisioning	You choose instance type, size, count	Automatic — AWS allocates resources per invocation
Scaling	Configure ASG, min/max, policies	Instant — each event gets its own execution
Cost model	Pay per hour/second while running	Pay per invocation + milliseconds of compute
Maintenance	Patch OS, update runtimes, manage AMIs	AWS manages everything below your code
Idle cost	Running 24/7 even with zero traffic	$0 when not executing — true scale-to-zero
Max execution	Unlimited (server stays running)	15 minutes per invocation (hard limit)
State	Local disk, memory persists between requests	Stateless — no guaranteed persistence between calls

Think of Lambda like a taxi service vs owning a car:

Use Case	Pattern	Why Lambda Wins
REST API backend	API Gateway → Lambda → DynamoDB	Zero idle cost, auto-scales to any traffic level
File processing	S3 upload → Lambda → transform → S3	Process only when files arrive, pay per file
Queue consumer	SQS → Lambda batch processing	Scales consumers with queue depth automatically
Real-time streams	Kinesis/DynamoDB Streams → Lambda	Process each record as it arrives
Cron jobs	EventBridge schedule → Lambda	No server running 24/7 for a 5-second daily job
Webhooks	API Gateway → Lambda → forward/process	Handle sporadic external callbacks at any volume
ChatOps / Bots	API Gateway → Lambda → Slack/Teams	Idle 99% of the time — perfect for pay-per-use

A Lambda function is more than just code — it's a configuration bundle that tells AWS what to run, how to run it, and what permissions it has. Understanding these components is essential before writing your first function.

The handler is the method Lambda calls when your function is invoked. It receives two arguments: the event (input data from the trigger) and context (metadata about the invocation — remaining time, request ID, log group).

Runtime	Handler Format	Example
Node.js	file.exportedFunction	index.handler
Python	file.function_name	lambda_function.lambda_handler
Java	package.Class::method	com.example.Handler::handleRequest
Go	Binary name	main (compiled binary)
.NET	Assembly::Type::Method	MyApp::MyApp.Function::Handler

Lambda supports multiple managed runtimes. AWS maintains and patches these — you don't install anything. Choose based on your team's skills and performance requirements.

Runtime	Cold Start	Best For	Notes
Node.js 20	~100-200ms	APIs, lightweight processing	Most popular Lambda runtime. Fast cold starts.
Python 3.12	~150-250ms	Data processing, ML inference, scripting	Excellent library ecosystem (boto3, pandas).
Java 21	~800-3000ms	Enterprise apps, heavy computation	Slow cold start. Use SnapStart to reduce ~90%.
Go	~50-80ms	High-performance, low-latency	Fastest cold start. Compiled binary, no runtime overhead.
.NET 8	~300-600ms	Enterprise .NET ecosystems	AOT compilation available for faster starts.
Custom (AL2023)	Varies	Rust, C++, any language	You provide the runtime bootstrap binary.

Lambda doesn't let you choose CPU directly. Instead, CPU scales linearly with memory. More memory = more CPU = higher cost per millisecond. The sweet spot balances execution speed vs cost.

Memory	vCPU Equivalent	Cost/ms	Good For
128 MB	~0.08 vCPU	$0.0000000021	Simple transforms, tiny handlers
512 MB	~0.3 vCPU	$0.0000000083	API handlers, light processing
1,769 MB	1 full vCPU	$0.0000000292	Most production workloads
3,008 MB	2 vCPU	$0.0000000493	CPU-intensive tasks, image processing
10,240 MB	6 vCPU	$0.0000001667	ML inference, video processing

Every Lambda function has an execution role — an IAM role that grants permissions for what the function can access. This is the security boundary. A function with no S3 permissions cannot read S3, even if your code tries.

Environment variables inject configuration into your function without changing code. Use them for database endpoints, API keys, feature flags, and stage identifiers (dev/staging/prod). They are encrypted at rest using KMS.

Variable	Example Value	Purpose
TABLE_NAME	users-prod	DynamoDB table name (changes per environment)
STAGE	production	Control behavior per deployment stage
LOG_LEVEL	INFO	Adjust logging verbosity without redeploy
API_KEY	(encrypted)	External service credentials — use SSM/Secrets Manager instead for rotation

Layers let you package libraries, custom runtimes, or shared code separately from your function. This keeps deployment packages small and enables reuse across multiple functions.

Lambda supports versions (immutable snapshots) and aliases (named pointers to versions). This enables safe deployments and traffic shifting without changing client configurations.

Aliases enable canary deployments: route 10% of traffic to the new version while 90% stays on the stable version. If errors spike, roll back instantly by updating the alias pointer — no redeploy needed.

Setting	Default	Range	Notes
Memory	128 MB	128 – 10,240 MB	CPU scales proportionally. 1769MB = 1 vCPU.
Timeout	3 seconds	1s – 15 min	Set just above p99 duration + buffer.
Ephemeral /tmp	512 MB	512 MB – 10 GB	Persists across warm invocations only.
Concurrency	1000/region	0 – account limit	Per-function reserved concurrency available.
Package size	—	50 MB zip / 250 MB unzipped	Use layers or container images (10GB) for more.
Env vars	—	4 KB total	Encrypted at rest with KMS. Use SSM for large configs.
Layers	0	Max 5	Total unzipped must still be ≤250MB.

When Lambda receives an event, it finds (or creates) an execution environment — a lightweight container with your code, runtime, and dependencies. Understanding this lifecycle is the key to optimizing cold starts and managing state.

Lambda supports three invocation models. The model determines who waits for the result and who handles retries.

Type	Caller Waits?	Retry Behavior	Triggers	Error Handling
Synchronous	Yes — blocks until response	Caller must retry	API Gateway, ALB, SDK invoke	Error returned to caller directly
Asynchronous	No — 202 Accepted immediately	Lambda retries 2× (configurable)	S3, SNS, EventBridge, CloudFormation	DLQ or on-failure destination
Event Source Mapping	N/A — Lambda polls	Retries until success or expiry	SQS, Kinesis, DynamoDB Streams, Kafka	Bisect batch, maxRetries, DLQ

The most important performance concept in Lambda. A cold start happens when Lambda must create a new execution environment from scratch. A warm start reuses an existing environment — dramatically faster.

Aspect	Cold Start	Warm Start
When	First invocation, after idle (~5-15 min), code update, scaling up	Reuses existing container (within minutes of last invocation)
Latency added	100ms (Go) to 3000ms+ (Java unoptimized)	~1-5ms (just handler execution)
Init code runs?	Yes — code outside handler runs once	No — skips directly to handler
Connections	Must establish new DB/API connections	Reuses connections from init phase
Frequency	~1-5% of invocations under steady traffic	95-99% of invocations

Lambda reuses execution environments across multiple invocations. This is the single most important optimization concept — code outside the handler runs once and persists across warm invocations.

Each concurrent invocation gets its own execution environment. One environment handles one request at a time (no multi-threading across requests). If 100 requests arrive simultaneously, Lambda creates 100 environments.

Concurrency Type	What It Does	Cost	When to Use
Unreserved	Shares the account's 1000 pool with all functions	Free	Default — most functions
Reserved	Guarantees N environments for this function (throttles others)	Free	Critical functions that must never be throttled
Provisioned	Pre-warms N environments — always ready, no cold starts	$$$	Latency-sensitive APIs where cold starts are unacceptable

When concurrency limits are reached, Lambda throttles additional invocations. The throttling behavior depends on the invocation type:

Invocation Type	Throttle Behavior	Client Experience
Synchronous	Returns 429 TooManyRequestsException	Error returned to caller — must implement retry with backoff
Asynchronous	Event queued, retried for up to 6 hours	Caller got 202 already — unaware. Event eventually processes or goes to DLQ.
Event Source Mapping (SQS)	Messages stay in queue	Processing delayed — messages visible again after visibility timeout
Event Source Mapping (Kinesis)	Shard iterator paused	Records back up in stream — processing resumes when capacity frees

Lambda's retry behavior is completely different per invocation type. Misconfigured retries are the #1 cause of duplicate processing and unexpected costs in serverless systems.

Both handle failed events, but Destinations are the modern, more flexible approach — they can capture both success and failure, and support more targets.

Feature	DLQ (Legacy)	Destinations (Recommended)
Captures	Failures only	Success AND failure
Targets	SQS or SNS only	SQS, SNS, Lambda, EventBridge
Metadata	Original event only	Event + response + error + request context
Configuration	On the function itself	On the function (async config)
Invocation types	Async only	Async (+ stream ESM on-failure)

Lambda functions will process the same event multiple times. This is not a bug — it's by design (retries, at-least-once delivery from SQS, duplicate S3 notifications). Your functions must be idempotent: processing the same event twice must produce the same result without side effects.

Mistake	Impact	Fix
Creating DB connections inside handler	50-200ms added per invocation	Initialize outside handler — reuse across warm invocations
Ignoring retries → duplicate processing	Double charges, duplicate emails	Implement idempotency with unique keys
Using VPC unnecessarily	NAT Gateway cost + networking complexity	Only VPC when accessing private resources (RDS, Redis)
Setting memory too low	Slow execution (CPU starved) + higher total cost	Use Power Tuning tool to find optimal memory
Max timeout on API functions	Hung functions billed for 15 min	Set timeout to p99 + 20% buffer
No DLQ/destination configured	Failed events silently lost forever	Always configure on-failure destination

Lambda's value isn't just serverless compute — it's the universal glue between AWS services. Every major AWS service can trigger Lambda, and Lambda can call any AWS service via the SDK. This makes it the central nervous system of event-driven architectures.

The most common Lambda trigger. API Gateway handles HTTPS, authentication, throttling, and CORS — Lambda handles business logic. Together they form a serverless API backend.

S3 triggers Lambda when objects are created, modified, or deleted. This powers image processing, video transcoding, log analysis, and ETL pipelines — all without polling.

Lambda polls SQS queues and processes messages in batches. This decouples producers from consumers and enables reliable, scalable background processing with automatic retry and dead-letter handling.

SNS invokes Lambda asynchronously. One SNS topic can fan out to multiple Lambda functions (plus SQS, email, HTTP). This enables event broadcasting — one publish, many consumers.

When items change in DynamoDB, streams capture the before/after images. Lambda processes these changes in order — enabling real-time replication, notifications, materialized views, and audit logs.

EventBridge Rules trigger Lambda on schedules (cron/rate) or event patterns from AWS services and custom applications. It's the backbone of event-driven architectures on AWS.

Source	Invocation Type	Batch?	Retry	Common Pattern
API Gateway	Synchronous	No	Caller retries	REST/HTTP APIs
S3	Asynchronous	No	2× then DLQ	File processing, ETL
SNS	Asynchronous	No	2× then DLQ	Fan-out, notifications
SQS	Event Source Mapping	Yes (1-10)	Until visibility timeout	Queue consumers, background jobs
Kinesis	Event Source Mapping	Yes (1-10K)	Until record expires (24h-7d)	Real-time stream processing
DynamoDB Streams	Event Source Mapping	Yes (1-10K)	Until record expires (24h)	CDC, replication, triggers
EventBridge	Asynchronous	No	Configurable	Cron jobs, event routing
ALB	Synchronous	No	Caller retries	Multi-target groups, weighted routing
CloudFront (Lambda@Edge)	Synchronous	No	—	Request/response manipulation at edge

By default, Lambda runs in an AWS-managed VPC with internet access but no access to your private resources (RDS, ElastiCache, private EC2 instances). If your function needs to connect to a database in a private subnet, you must attach Lambda to your VPC.

When you attach Lambda to a VPC, AWS creates Elastic Network Interfaces (ENIs) in your specified subnets. Lambda execution environments use these ENIs to communicate with resources in the VPC. Since 2019, AWS uses Hyperplane ENIs — shared across functions in the same security group + subnet, dramatically reducing cold start impact.

Setting	Recommendation	Why
Subnets	Private subnets in 2+ AZs	HA — Lambda uses ENIs across specified subnets. Never use public subnets.
Security Group	Dedicated sg-lambda	Outbound: allow 5432 (Postgres), 6379 (Redis), 443 (HTTPS). Inbound: none.
Internet access	NAT Gateway in public subnet	Lambda in private subnet has no internet without NAT. Required for external APIs.
AWS services	VPC Endpoints for S3, DynamoDB	Gateway endpoints are free — avoid NAT data charges for S3/DynamoDB.
IAM role	Add AWSLambdaVPCAccessExecutionRole	Grants ec2:CreateNetworkInterface, DescribeNetworkInterfaces, DeleteNetworkInterface.
IP addresses	Ensure subnet has enough IPs	Hyperplane ENIs share IPs, but 1 ENI per unique (security group + subnet) pair.

Lambda in a VPC with internet access requires a NAT Gateway — and NAT Gateways are expensive. This is the biggest hidden cost of VPC-attached Lambda.

Lambda's security group controls outbound traffic from the function. The resources it connects to must allow inbound from the Lambda security group.

Rule	Lambda SG (sg-lambda)	RDS SG (sg-rds)	ElastiCache SG (sg-redis)
Inbound	None needed	5432 from sg-lambda	6379 from sg-lambda
Outbound	5432 to sg-rds 6379 to sg-redis 443 to 0.0.0.0/0 (HTTPS)	Default (allow all)	Default (allow all)

Lambda creates a new database connection per execution environment. At scale (100+ concurrent), this can overwhelm RDS (PostgreSQL default: 100 connections). RDS Proxy solves this by pooling connections.

Lambda performance optimization comes down to three things: reducing cold starts, right-sizing memory, and minimizing external call latency. Most performance issues are not Lambda's fault — they're network calls to databases and APIs.

Memory is the only resource knob. CPU scales with memory — but the relationship is non-linear for your workload. A CPU-bound function at 128MB may take 2000ms; at 1024MB it takes 250ms — 8× faster for 8× memory but same total cost.

Technique	Impact	Cost	Complexity
Init code outside handler	Reuse SDK clients, DB connections across warm invocations	Free	Low — restructure code
Smaller package	Reduce download time. Tree-shake, exclude dev deps	Free	Low — build optimization
Choose fast runtime	Go ~50ms, Node ~150ms, Java ~1-3s cold start	Free	Medium — language choice
Provisioned Concurrency	Eliminates cold starts entirely — pre-warmed	$$$ — pay for idle warm environments	Low — config only
SnapStart (Java only)	Snapshots init state, restores in ~200ms vs 3s	Free	Low — enable in config
ARM64 (Graviton2)	~10-15% faster, 20% cheaper per ms	Savings	Low — change architecture flag

Provisioned Concurrency keeps N execution environments pre-initialized and ready. No cold starts, guaranteed sub-100ms startup. Use it for latency-sensitive APIs where even occasional 1-second cold starts are unacceptable.

Lambda supports ARM64 (Graviton2) processors — 20% cheaper per GB-second and often 10-15% faster than x86. For most workloads, switching is a one-line config change with immediate savings.

Aspect	x86_64	arm64 (Graviton2)
Price per GB-sec	$0.0000166667	$0.0000133334 (20% less)
Performance	Baseline	~10-34% faster (workload dependent)
Compatibility	All runtimes, all native binaries	All managed runtimes. Native binaries must be ARM-compiled.
Migration effort	—	Pure Python/Node/Java: zero effort. C extensions: recompile.

Set timeout to p99 duration + 20% buffer, not the 15-minute max. Too-long timeouts waste money on hung invocations and delay error detection. Too-short timeouts cause false failures on legitimate slow paths.

Type	Default	Purpose	Behavior When Exceeded
Account limit	1000/region	Protect account from runaway scaling	Throttled (429) or queued depending on invocation type
Reserved concurrency	Not set	Guarantee capacity for critical functions	Other functions share remaining pool
Provisioned concurrency	Not set	Eliminate cold starts for N instances	Overflow uses on-demand (with cold starts)
Burst concurrency	500-3000/region	Allow rapid scale-up	After burst, scales +500/minute

Lambda shines in specific architectural patterns. These are battle-tested approaches used at scale by companies from startups to enterprises. Each pattern solves a different problem — choose based on your workload characteristics.

The most common Lambda pattern. API Gateway handles HTTP, auth, and throttling. Lambda handles business logic. DynamoDB handles state. Zero servers, zero idle cost, infinite scale.

Files arrive → Lambda processes → results go elsewhere. Each step is decoupled, independently scalable, and fault-isolated. Failed items go to dead-letter queues without blocking the pipeline.

SQS absorbs traffic spikes. Lambda processes at a controlled rate. This protects downstream services (databases, APIs) from being overwhelmed during bursts while ensuring every message is eventually processed.

Each microservice is a Lambda function (or group) with its own API, data store, and deployment lifecycle. Services communicate asynchronously via SNS/SQS/EventBridge — not direct invocation.

Replace cron servers and scheduled EC2 instances with EventBridge rules triggering Lambda. Zero idle cost between executions — pay only for the seconds your job actually runs.

For complex workflows with branching logic, retries, parallel steps, and human approval — use Step Functions to orchestrate multiple Lambda functions. Each function stays simple; the workflow defines the complexity.

Workload	Pattern	Key Services
CRUD API	Serverless REST API	API Gateway + Lambda + DynamoDB
File processing	Event-driven pipeline	S3 → Lambda → SQS → Lambda → S3
Background jobs	Queue-based load leveling	SQS → Lambda (reserved concurrency)
Microservices	Event mesh	EventBridge + Lambda per domain
Periodic tasks	Scheduled execution	EventBridge rule → Lambda
Multi-step workflow	Orchestration	Step Functions + Lambda functions
Real-time streams	Stream processing	Kinesis/DynamoDB Streams → Lambda
Fan-out notifications	Pub/Sub	SNS → multiple Lambda subscribers

Feature	Value
Compute Model	Serverless (event-driven)
Scaling	Automatic (0 → 1000+ concurrent)
Max Timeout	15 minutes
Max Memory	10,240 MB (6 vCPU equivalent)
State	Stateless (use DynamoDB/S3 for state)
Package Size	50 MB zipped / 250 MB unzipped (10 GB container image)
Concurrency Limit	1000/region (soft limit, can increase)
Billing	Per invocation ($0.20/1M) + per GB-second ($0.0000166667)
Billing Granularity	1ms increments (minimum 1ms)
Supported Runtimes	Node.js, Python, Java, Go, .NET, Ruby, Custom (AL2023)
VPC Support	Optional — via Hyperplane ENIs in private subnets
Ephemeral Storage	512 MB – 10 GB (/tmp)
Environment Variables	4 KB total, encrypted at rest (KMS)
Layers	Max 5 per function, 250 MB total unzipped
Async Retries	0, 1, or 2 (configurable)
ARM64 Savings	20% cheaper per GB-second