Access AWS Resource Outside of VPC from Within VPC - Serverless Framework

Question

I am trying to access a kinesis stream outside a VPC from a lambda function inside a VPC. Currently when the code to write to the kinesis stream is executed it will hang and then timeout. When I take the lambda out of the VPC the code to write to the stream works fine. But I need to access a resource within the VPC and then write to the stream. Anyone know how to fix this?

Here is my function that is in the VPC

functions:
  handleChanges:
    handler: functions/handlers.handleChanges
    timeout: 10
    package:
      include:
        - functions/utils/**
    events:
      - http:
          method: POST
          path: "/"
          integration: lambda
    vpc:
      securityGroupIds:
        - ${file(./private.yml):variables.securityGroup}
      subnetIds:
        - ${file(./private.yml):variables.subnetID}

Here is my policy

iamRoleStatements:
  - Effect: "Allow"
    Action:
      - "kinesis:PutRecord"
      - "kinesis:GetRecords"
      - "kinesis:GetShardIterator"
      - "kinesis:DescribeStream"
      - "kinesis:ListStreams"
    Resource:
      Fn::GetAtt:
        - KinesisStream
        - Arn
  - Effect: "Allow"
    Action:
      - "cognito-idp:AdminGetUser"
    Resource: "*"
  - Effect: "Allow"
    Action:
      - "logs:CreateLogGroup"
      - "logs:CreateLogStream"
      - "logs:PutLogEvents"
      - "ec2:CreateNetworkInterface"
      - "ec2:DescribeNetworkInterfaces"
      - "ec2:DeleteNetworkInterface"
    Resource: "*"

And finally here is my kinesis stream resource

KinesisStream:
  Type: AWS::Kinesis::Stream
  Properties:
    Name: ${self:provider.environment.STREAM_NAME}
    ShardCount: 1

Answer 1

The only solution is to add a NAT Gateway (or NAT instance) to your VPC so that resources like your Lambda function that reside in your private subnet will have access to resources outside the VPC.

Answer 2

No need NAT, you can do it also with VPC endpoint: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html And that is how to do it to Kinesis: https://docs.aws.amazon.com/streams/latest/dev/vpc.html

Works for me :) and match cheaper. Make sure you set the correct security groups (sg of the private VPC and not the default VPC)

If you will read the NAT pricing documentation they are also recommending this: https://aws.amazon.com/vpc/pricing/ read the note at the end:

Note: To avoid the NAT Gateway Data Processing charge in this example, you could setup a Gateway Type VPC endpoint and route the traffic to/from S3 through the VPC endpoint instead of going through the NAT Gateway. There is no data processing or hourly charges for using Gateway Type VPC endpoints. For details on how to use VPC endpoints, please visit VPC Endpoints Documentation.