问题
I am trying to make an outbound API request to a third-party service from within a Lambda function, but the function always times out without any error.
This previously happened when trying to perform a s3.putObject operation within a different function (still within the same VPC / subnets), and I managed to get around that by adding an Endpoint with a service name com.amazonaws.us-east-1.s3 and connecting it to the route table that is associated with the VPC that this Lambda function resides in.
Within the Lambda dashboard inside Network box -> Security Groups section, I see this warning:
When you enable VPC, your Lambda function will lose default internet access. If you require external internet access for your function, ensure that your security group allows outbound connections and that your VPC has a NAT gateway.
I believe that this security group allows outbound connections, based off of the Outbound rules table right underneath:
For that second requirement, I can confirm this VPC has a NAT gateway, because on the VPC Dashboard, within NAT Gateways tab, the one that appears there has a VCP associated with it, and that VPC is the same one hosting the Lambda function.
I followed a guide to create a Flow Log to monitor traffic in and out of the VPC, hoping to see that those outbound requests are indeed rejected. However, after doing so and inspecting the CloudWatch logs, all of the records end in either ACCEPT OK or NODATA.
How can I grant internet access to my VPC Lambda function? is the guide I originally tried to follow, but I got stuck on step 4 under To create a public or private subnet:
From the Change to: drop-down menu, choose an appropriate route table: For a private subnet, the default route should point to a NAT gateway or NAT instance:
Destination: 0.0.0.0/0 Target: nat-… (or eni-…) For a public subnet, the default route should point to an internet gateway:
Destination: 0.0.0.0/0 Target: igw-…
For all four of the subnets within this VPC, clicking the drop-down to the right of Change to: only showed one option, the one already selected, rtb-xxxxxxxx. After clicking on the link to that route table, and clicking the Routes tab next to Summary, I see this:
What might I be doing wrong that is blocking the Lambda function's access to the Internet?
回答1:
For Lambda to have access to the internet via VPC it should be in the Private Subnet with NAT Gateway attached.
As per your screenshots, route table attached to subnet has igw-xxxxxxx attached making your current subnet a public subnet.
So to make things work, you can do following:
- Attach
NAT Gatewayinstead ofigw-xxxxxxin route table of your currentsubnet
OR
- Find ENI attached to your Lambda and attach
Elastic IPif you want to have internet access.
OR
As per @John Rotenstein if your Lambda doesnt need VPC recources you can move Lambda out of VPC
回答2:
Hey guys I developed a step by step tutorial with explicit screenshots about it:
Part I
- Create a lambda function in AWS
- Create an API Gateway to redirect all the requests to your AWS Lambda Function
https://medium.com/@shontauro/how-can-i-turn-my-restful-api-into-a-serverless-application-and-deploy-it-to-aws-lambda-step-by-ec7ce38e18be
Part II
- Configure a VPC for your lambda function
- Grant internet access to the lambda function in a safety way
- Deploy the Node.js Restful API into your Lambda Function
https://medium.com/@shontauro/how-can-i-turn-my-restful-api-into-a-serverless-application-and-deploy-it-to-aws-lambda-step-by-8ff6cc97780f
回答3:
Setting up AWS Lambda Internet access in VPC mode is tricky as no proper AWS documentation is provaded on AWS side, I did read this aritical many times https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/ but did not wached YouTube Video. After so much of R&D I can summrise as below steps are need for set up AWS Lambda in VPC mode
- Route Tables two router
- One for EC2 - EC2_ROUTER
- Another for AWS Lambda - AWS_Lambda_ROUTER
- Create an Internet Gateway
- Add 0.0.0.0/0 rule in EC2_ROUTER for target igw-xxxxx
- This will create public subnet and give INTERNET access for EC2
- Create a NATGateway with public subnet which has igw-xxxxx as target
- Create a private subnet which and attach to AWS_Lambda_ROUTER, with target 0.0.0.0/0 as nat-xxxxxxx
- Select VPC for AWS Lambda
- Select a/all private subnet which is private having NAT Gateway for all traffic 0.0.0.0/0
all done, go ahead and enjoy
Note
- NATGateway is required when access to public API other than AWS
- There is AWS Endpoints for internal AWS services, and one can attach AWS endpoints in AWS_Lambda_ROUTER by creating
Internet access in AWS Lambda -> Private Subnet with NATGateway -> NATGateway is in public subnet with Internet Gateway which access to AWS Lambda.
PS
I have no Idea why AWS Lambda can not have INTERNET access via InternetGateway why it needs NATGateway
来源:https://stackoverflow.com/questions/50276852/lambda-function-within-vpc-doesnt-have-access-to-public-internet