Getting Started

Core Concepts

Understanding Lambda's fundamental concepts will help you make the most of the platform.

Table of Contents

Instances

An instance is an isolated compute environment where your applications run.

Instance Lifecycle

States

StateDescriptionBilling
CreatingInstance is being provisionedNo
RunningInstance is active and accessibleYes
StoppedInstance is pausedStorage only
DestroyedInstance is permanently deletedNo

Instance Types

Lambda offers various instance types optimized for different workloads:

Compute-Optimized (compute-*)

Best for CPU-intensive applications:

TypevCPURAMStorageNetworkPrice/hr
compute-1x12GB25GB1Gbps$0.05
compute-2x24GB50GB2Gbps$0.10
compute-4x48GB100GB5Gbps$0.20
compute-8x816GB200GB10Gbps$0.40
compute-16x1632GB400GB10Gbps$0.80

Memory-Optimized (memory-*)

Best for memory-intensive applications:

TypevCPURAMStorageNetworkPrice/hr
memory-2x216GB50GB2Gbps$0.15
memory-4x432GB100GB5Gbps$0.30
memory-8x864GB200GB10Gbps$0.60
memory-16x16128GB400GB10Gbps$1.20

Storage-Optimized (storage-*)

Best for I/O-intensive applications:

TypevCPURAMStorageIOPSPrice/hr
storage-2x28GB500GB10K$0.20
storage-4x416GB1TB20K$0.40
storage-8x832GB2TB40K$0.80

GPU-Enabled (gpu-*)

Best for ML/AI workloads:

TypeGPUvCPURAMStoragePrice/hr
gpu-1x1x A100864GB500GB$2.50
gpu-2x2x A10016128GB1TB$5.00
gpu-4x4x A10032256GB2TB$10.00

Regions

A region is a geographic location where your instance runs.

Available Regions

CodeLocationLatency (US West)Status
us-west-1California, USA-
us-east-1Virginia, USA~70ms
eu-west-1Ireland~140ms
eu-central-1Frankfurt, Germany~160ms
ap-southeast-1Singapore~180ms
ap-northeast-1Tokyo, Japan~100ms
ap-south-1Mumbai, India~220ms
sa-east-1São Paulo, Brazil~200ms

Choosing a Region

Considerations:

  1. Latency: Choose closest to your users
  2. Compliance: Some regions for specific regulations (GDPR, etc.)
  3. Availability: Check region status before deploying critical workloads
  4. Pricing: Pricing is consistent across regions

Region Features

All regions support:

  • ✓ Secure enclaves (SGX or SEV)
  • ✓ Same instance types
  • ✓ Same pricing
  • ✓ Same privacy guarantees
  • ✓ Cross-region networking

Storage

Lambda provides encrypted, high-performance storage for your instances.

Storage Types

Root Volume

  • Automatically created with every instance
  • Contains OS and system files
  • Size depends on instance type
  • Encrypted at rest
  • Persists when instance is stopped
  • Deleted when instance is destroyed

Data Volumes

  • Additional storage you can attach
  • Independent lifecycle from instances
  • Can be attached/detached dynamically
  • Fully encrypted
  • Snapshots available
  • Can be resized online

Storage Features

┌─────────────────────────────────────┐
│        Your Application             │
└───────────┬─────────────────────────┘


┌─────────────────────────────────────┐
│     Encrypted File System           │
│  (Your Encryption Key Required)     │
└───────────┬─────────────────────────┘


┌─────────────────────────────────────┐
│       NVMe SSD Storage              │
│   (Hardware-Level Encryption)       │
└─────────────────────────────────────┘

Creating Data Volumes

Via Dashboard:

  1. Go to Dashboard → Volumes
  2. Click "Create Volume"
  3. Configure:
    • Name: my-data
    • Size: 100 GB
    • Region: us-west-1
  4. Click "Create"
  5. Attach to instance: Click volume → "Attach" → Select instance

Via CLI:

# Create a 100GB volume
lambda create volume \
  --name my-data \
  --size 100GB \
  --region us-west-1

# Attach to instance
lambda attach volume vol_abc123 --instance inst_xyz789

# Inside instance, mount it
sudo mkfs.ext4 /dev/vdb
sudo mount /dev/vdb /mnt/data

Pricing

ResourcePrice
Root volumeIncluded in instance price
Data volume$0.10/GB/month
Snapshot$0.05/GB/month
I/O operationsFree (no per-operation charges)

Networking

Lambda provides private, isolated networking with optional public internet access.

Network Architecture

              Internet


      ┌────────────────────────┐
      │    Load Balancer       │
      │   (Optional, Public)   │
      └──────────┬─────────────┘


      ┌───────────────────────┐
      │   Firewall Rules      │
      │  (You Control Access) │
      └──────────┬────────────┘


      ┌───────────────────────┐
      │   Your Instance       │
      │ (Private Network)     │
      └───────────────────────┘

IP Addresses

Public IP

  • Assigned to each instance by default
  • Static (doesn't change unless you release it)
  • Used for internet access
  • Can be disabled for completely private instances

Private IP

  • Used for instance-to-instance communication
  • Never exposed to internet
  • Free inter-instance traffic
  • Supports VPN connections

Networking Commands

# List network interfaces
lambda network list inst_abc123

# Assign static IP
lambda network assign-ip inst_abc123

# Enable private networking
lambda network create-vpc \
  --name my-private-network \
  --cidr 10.0.0.0/16

# Add instance to VPC
lambda network attach inst_abc123 --vpc vpc_xyz789

Bandwidth

Instance TypeBandwidthData Transfer Cost
compute-1x/2x1-2 GbpsFree
compute-4x/8x5-10 GbpsFree
compute-16x+10 GbpsFree

Lambda doesn't charge for data transfer (egress is free)

SSH Keys

SSH keys are used to securely authenticate to your instances.

Key Management

# Generate a new SSH key
ssh-keygen -t ed25519 -C "lambda-access"

# Add key to Lambda
lambda ssh-keys add \
  --name my-laptop \
  --file ~/.ssh/id_ed25519.pub

# List keys
lambda ssh-keys list

# Remove key
lambda ssh-keys remove key_abc123

Best Practices

  1. Use Strong Keys: ED25519 or RSA 4096-bit
  2. One Key Per Device: Don't share keys across multiple machines
  3. Rotate Regularly: Update keys every 90 days
  4. Use SSH Agent: Never copy private keys to instances
  5. Backup Keys: Store encrypted backups of private keys

Connecting

# Using default key
ssh lambda@203.0.113.42

# Specify key
ssh -i ~/.ssh/my-key lambda@203.0.113.42

# Using Lambda CLI (automatic)
lambda ssh inst_abc123

Snapshots

Snapshots are point-in-time backups of your instances or volumes.

Snapshot Lifecycle

Creating Snapshots

# Snapshot entire instance
lambda snapshot create inst_abc123 \
  --name "before-update" \
  --description "Pre-deployment backup"

# Snapshot specific volume
lambda snapshot create vol_xyz789 \
  --name "data-backup"

# List snapshots
lambda snapshot list

# Restore from snapshot
lambda create instance \
  --from-snapshot snap_abc123 \
  --name restored-instance

Snapshot Features

  • Incremental: Only changes since last snapshot are stored
  • Encrypted: Snapshots maintain encryption
  • Cross-Region: Copy snapshots to other regions
  • Versioned: Keep multiple snapshots with automatic cleanup

Automation

# Schedule daily snapshots
lambda snapshot schedule inst_abc123 \
  --frequency daily \
  --time "02:00 UTC" \
  --retain 7

# Schedule weekly snapshots
lambda snapshot schedule inst_abc123 \
  --frequency weekly \
  --day sunday \
  --retain 4

Firewall

Lambda's firewall controls network access to your instances.

Default Rules

By default:

  • ✓ All outbound traffic allowed
  • ✗ All inbound traffic blocked (except SSH on port 22)

Firewall Rules

# Allow HTTP traffic
lambda firewall allow inst_abc123 \
  --port 80 \
  --protocol tcp \
  --source 0.0.0.0/0

# Allow HTTPS traffic
lambda firewall allow inst_abc123 \
  --port 443 \
  --protocol tcp \
  --source 0.0.0.0/0

# Allow from specific IP
lambda firewall allow inst_abc123 \
  --port 3000 \
  --source 203.0.113.0/24

# List rules
lambda firewall list inst_abc123

# Remove rule
lambda firewall remove inst_abc123 --rule rule_abc123

Common Configurations

Web Server

lambda firewall allow inst_abc123 --port 80 --source 0.0.0.0/0
lambda firewall allow inst_abc123 --port 443 --source 0.0.0.0/0

Database Server (Private)

# Allow only from your app server
lambda firewall allow inst_db123 \
  --port 5432 \
  --source 10.0.1.0/24

Development Server

# Allow only from your IP
lambda firewall allow inst_abc123 \
  --port 3000 \
  --source $(curl -s ifconfig.me)/32

Privacy Zones

Privacy Zones define boundaries of encrypted, isolated workspaces.

What Are Privacy Zones?

Privacy Zones are logical groupings of instances that share:

  • Network isolation
  • Encryption policies
  • Access controls
  • Audit boundaries

Creating Privacy Zones

# Create zone
lambda zone create \
  --name production \
  --encryption-level maximum \
  --audit-enabled true

# Add instance to zone
lambda zone add-instance zone_abc123 --instance inst_xyz789

# List zones
lambda zone list

# Zone info
lambda zone info zone_abc123

Encryption Levels

LevelDescriptionUse Case
StandardDisk encryption, TLSGeneral workloads
High+ Memory encryption (SEV)Sensitive data
Maximum+ Secure enclaves (SGX)Highly regulated

Inter-Zone Communication

By default, zones are isolated. To enable communication:

lambda zone peer zone_prod123 --with zone_staging456

Next Steps

Now that you understand the core concepts:

  1. Deploy Your First Application →
  2. Explore the Architecture →
  3. Read API Documentation →

Think Lambda, Think Privacy

Quick Start Guide

Previous Page

Your First Deployment

Next Page

On this page

Table of ContentsInstancesInstance LifecycleStatesInstance TypesCompute-Optimized (compute-*)Memory-Optimized (memory-*)Storage-Optimized (storage-*)GPU-Enabled (gpu-*)RegionsAvailable RegionsChoosing a RegionRegion FeaturesStorageStorage TypesRoot VolumeData VolumesStorage FeaturesCreating Data VolumesPricingNetworkingNetwork ArchitectureIP AddressesPublic IPPrivate IPNetworking CommandsBandwidthSSH KeysKey ManagementBest PracticesConnectingSnapshotsSnapshot LifecycleCreating SnapshotsSnapshot FeaturesAutomationFirewallDefault RulesFirewall RulesCommon ConfigurationsWeb ServerDatabase Server (Private)Development ServerPrivacy ZonesWhat Are Privacy Zones?Creating Privacy ZonesEncryption LevelsInter-Zone CommunicationNext Steps