问题
I am trying to access a kinesis stream outside a VPC from a lambda function inside a VPC. Currently when the code to write to the kinesis stream is executed it will hang and then timeout. When I take the lambda out of the VPC the code to write to the stream works fine. But I need to access a resource within the VPC and then write to the stream. Anyone know how to fix this?
Here is my function that is in the VPC
functions:
handleChanges:
handler: functions/handlers.handleChanges
timeout: 10
package:
include:
- functions/utils/**
events:
- http:
method: POST
path: "/"
integration: lambda
vpc:
securityGroupIds:
- ${file(./private.yml):variables.securityGroup}
subnetIds:
- ${file(./private.yml):variables.subnetID}
Here is my policy
iamRoleStatements:
- Effect: "Allow"
Action:
- "kinesis:PutRecord"
- "kinesis:GetRecords"
- "kinesis:GetShardIterator"
- "kinesis:DescribeStream"
- "kinesis:ListStreams"
Resource:
Fn::GetAtt:
- KinesisStream
- Arn
- Effect: "Allow"
Action:
- "cognito-idp:AdminGetUser"
Resource: "*"
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "ec2:CreateNetworkInterface"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DeleteNetworkInterface"
Resource: "*"
And finally here is my kinesis stream resource
KinesisStream:
Type: AWS::Kinesis::Stream
Properties:
Name: ${self:provider.environment.STREAM_NAME}
ShardCount: 1
回答1:
The only solution is to add a NAT Gateway (or NAT instance) to your VPC so that resources like your Lambda function that reside in your private subnet will have access to resources outside the VPC.
回答2:
No need NAT, you can do it also with VPC endpoint: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html And that is how to do it to Kinesis: https://docs.aws.amazon.com/streams/latest/dev/vpc.html
Works for me :) and match cheaper. Make sure you set the correct security groups (sg of the private VPC and not the default VPC)
If you will read the NAT pricing documentation they are also recommending this: https://aws.amazon.com/vpc/pricing/ read the note at the end:
Note: To avoid the NAT Gateway Data Processing charge in this example, you could setup a Gateway Type VPC endpoint and route the traffic to/from S3 through the VPC endpoint instead of going through the NAT Gateway. There is no data processing or hourly charges for using Gateway Type VPC endpoints. For details on how to use VPC endpoints, please visit VPC Endpoints Documentation.
回答3:
This article seems to have a complete solution to the problem: https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/
I followed the instructions and created everything for my existing VPC and my lambda function inside the VPC still doesn't have access to the outside resourse I want (AWS rekognition). However, it works after I gave up my existing VPC and created a new "VPC with Public and Private Subnets" using the "VPC" wizard as said at the beginning of this article. I can't figure out why though.
来源:https://stackoverflow.com/questions/42448692/access-aws-resource-outside-of-vpc-from-within-vpc-serverless-framework