AWS Lambda Introduces MicroVMs for Isolated, Stateful Sandboxes

AWS announced the launch of Lambda MicroVMs, a fresh serverless compute option inside its Lambda service. The capability enables running code supplied by end users or generated through AI inside dedicated execution environments that stay isolated and preserve state throughout each session.

AWS Lambda MicroVMs deliver VM isolation without infrastructure management. Developers receive virtual-machine-grade separation, near-instant startup and resumption, plus complete authority over the environment's lifecycle and internal state. No underlying servers need direct oversight and no specialized knowledge of advanced virtualization is required.

These MicroVMs rely on Firecracker, the same lightweight virtualization layer that has already supported more than 15 trillion monthly Lambda function invocations.

New class of multi-tenant applications drives demand for isolated execution. A growing category of workloads—including AI coding assistants, interactive coding sandboxes, data analytics platforms, vulnerability scanners, and game servers executing user-provided scripts—requires that each end user receive a private runtime. Traditional virtual machines supply robust boundaries yet often need minutes to boot. Containers start within seconds but rely on a shared kernel that demands extensive custom security hardening when handling untrusted code.

Serverless functions work well for short event-driven requests yet lack native support for extended interactive sessions that must carry forward memory and disk contents between user actions. Consequently, teams either tolerate compromises on speed versus safety or devote substantial engineering effort toward custom virtualization stacks.

MicroVMs address the isolation-performance gap with state retention. Each instance grants one user or session a fully separated environment that starts quickly, holds memory and disk contents for the entire duration, and suspends to minimal cost during inactivity. Because the underlying Firecracker technology already runs at massive scale inside Lambda, the new option benefits from proven operational reliability.

Getting started requires creating a MicroVM Image from code artifacts. Inside the AWS Lambda console the new MicroVMs section now sits in the left navigation. Builders begin by bundling an application together with its Dockerfile into a zip archive, then uploading that archive to an Amazon S3 bucket. The image can be built either through the AWS CLI command or directly in the console.

The command needs a code artifact URI, chosen image name, base image ARN such as arn:aws:lambda:us-east-1:aws:microvm-image:al2023-1, and an IAM build role ARN. Once launched, Lambda fetches the zip, executes the Dockerfile instructions, starts the application, captures a Firecracker snapshot of live memory and disk, and streams build logs live into Amazon CloudWatch under the /aws/lambda/microvms prefix.

An included example shows a minimal Flask API served by Gunicorn from a Dockerfile derived from the public.ecr.aws/lambda/microvms:al2023-minimal base that installs Python packages before exposing port 5000.