问题
I have set up a VPC with 3 subnets, this to have access to a private RDS instance from my Lambda functions. The RDS <-> Lambda connection works fine, however now I'm not able to publish to SNS.
I found the announcement of VPC Endpoint support for SNS (incl. this blog post https://aws.amazon.com/blogs/security/securing-messages-published-to-amazon-sns-with-aws-privatelink/) and have added a VPC Endpoint Interface with these properties:
Service name: com.amazonaws.eu-west-1.sns
VPC: same as Lambda functions and other services
Subnets: all included in my VPC (have also tested toggling them individually)
Security Groups: all VPC security groups selected
All the services are in the eu-west-1 region. I know the code that publish to SNS is correct, as it works when run in a non-VPC environment. The ARN I'm publishing to has remained unchanged: arn:aws:sns:eu-west-1:962446592636:whatever.
I'm aware that a NAT server could be set up to avoid this issue, but I'd prefer to use VPC Endpoints if possible to reduce costs.
回答1:
It works for me!
I did the following:
- Created an Amazon SNS topic and subscribed to it
- Created an AWS Lambda function with no VPC configuration, which sends a message to the SNS topic
- Tested the Lambda function -- message received
- Created a VPC with a two private subnets
- Created a Service Endpoint for SNS in the private subnets, with a Security Group allowing All TCP from
0.0.0.0/0(for testing purposes) - Modified the Lambda function to use the private subnets
- Tested the Lambda function -- message received
So, everything worked fine. I didn't have to modify any Lambda code.
My Lambda code:
def lambda_handler(event, context):
import boto3
client = boto3.client('sns', region_name='ap-southeast-2')
response = client.publish(
TopicArn='arn:aws:sns:ap-southeast-2:123456789012:stack',
Message='From Lambda'
)
return
来源:https://stackoverflow.com/questions/50170420/how-to-publish-to-sns-from-lambda-within-vpc-using-vpc-endpoint