Aws lambda internet access

Aws lambda internet access DEFAULT

Why my Lambda cannot access Internet anymore from its AWS VPC?

In this post, I try to be as clear as possible to explain how to give Internet Access to your AWS resources if they are in an AWS VPC.

For the most curious and those who like to understand things in depth, I explain at each step the AWS concepts in the grey part.

How did I get there?

Recently, I developed an application with a React frontend, a NestJS backend and I set up a deployment with an AWS Lambda function for the backend and an AWS S3 bucket for the static frontend. My app was quite simple and mostly used a PostgreSQL database, an external API and the Google authentication.

All was working really fine in production until I decided to switch my RDS database to private mode for security reasons and then lost its access. Indeed, by default, a RDS database is in an AWS VPC and you can't access it, except if you are in the same VPC or if your RDS is public.

Thus, to retrieve access to my database, I was forced to move my AWS lambda function in the same VPC. Then came a new problem. When you move an AWS instance in a VPC, you lose the Internet access and therefore cannot anymore reach your instance from Internet and your instance cannot reach the Internet anymore.


1 - Create a VPC

A VPC (Virtual Private Cloud) is a virtual network in the cloud in which you can launch AWS resources. You have complete control over your virtual networking environment, including selection of your own private IP address range, creation of subnets and configuration of route tables and network gateways.

You have all interest in using VPC because it helps in aspects of cloud computing like privacy, security and preventing loss of proprietary data. Moreover, some instances like AWS relational databases, need to be in a VPC and the only way to access them is to be in the same VPC.


If you don't already have a VPC (virtual private cloud), you need to create one.

To do that, go to the Services tab, select VPC, click on Your VPCs on the left menu and then on Create VPC:

  • Choose the name of your VPC, for example my-wonderful-vpc
  • In the CIDR (class inter-domain routing) block input, choose a range of IPs addresses for your VPC, for example 172.30.0.0/16

create-vpc-image.png

For your information, 172.30.0.0/16 is what we called a network mask, it means all the IP addresses starting from 173.30.0.0 to 172.30.255.255.


infra-step-1-image.png

2 - Create private and public subnets in your VPC

A subnet is simply a range of IP addresses in the VPC. A subnet can be thought of as dividing a large network into smaller networks. This is done because the maintenance of smaller networks is easier and it also provides security to the network from other networks.


To host your lambda, you need to create a private subnet inside your VPC.

Click on Subnets on the left menu in the VPC service and then on the button Create subnet:

  • Choose the name of your subnet, for example my-wonderful-vpc-private-subnet
  • Choose the VPC you created during the previous step (my-wonderful-vpc)
  • In the CIDR block input, choose a subrange IPs addresses of your VPC IPs addresses, for example 172.30.1.0/24 (from 173.30.1.0 to 172.30.1.25)

create-subnet-image.png

Repeat these previous steps to create the public subnet by choosing another name (for example my-wonderfull-vpc-public subnet) and another subrange of IPs (for example 172.30.2.0/24).

You will configure your subnets as public and private in the 4th step.

infra-step-2-image.png

3 - Create an Internet Gateway and a NAT Gateway in the VPC

An Internet Gateway is a logical connection between an AWS VPC and the Internet. It's not a physical device. Only one can be associated with each VPC. If a VPC doesn't have an Internet Gateway, then the resources cannot be accessed from the Internet. Conversely, resources within your VPC need an Internet Gateway to access the Internet.

A Network Address Translation (NAT) enable instances in a private subnet to connect to the Internet, but prevent the Internet from initiating a connection with those instances. To do that, NAT maps all the private IP addresses assigned to the instances in the subnet to one public IPv4 address called the Elastic IP address.


To access Internet, you will need to attach an Internet Gateway to your VPC.

Select Internet Gateways on the left menu and then click on the button Create internet gateway:

  • Choose the name of your Internet Gateway, for example my-wonderful-vpc-igw

create-internet-gateway-image.png

You will then need to attach your Internet Gateway to your VPC. Come back to the Internet Gateways tab, select your Internet Gateway (my-wonderful-vpc-igw), click on Action, select Attach to VPC and select your VPC (my-wonderful-vpc).

You will also need to create a NAT Gateway. Click on NAT Gateways on the left menu and then on the button Create NAT gateway :

  • Choose the subnet you want to be public (my-vonderful-vpc-public-subnet)
  • Choose one of your Elastic IPs. If you don't have one, click on Create New EIP

create-nat-gateway-image.png

Your infra should look like this now:

infra-step-3-image.png

4 - Associate the right route tables to the subnets

A route table contains a set of rules called routes which determine where traffic has to be directed. You can create as many route tables in a VPC as you want. Route tables act at the subnet level, not the VPC level. A route table can be associated to one or severals subnets. By default, all route tables in a VPC have a local route for communication within the VPC. You can add custom routes in a route table by creating a new route defining which traffic (IP destination) must go where (target).

Remarks:
  • Even if you don't create any route table, all VPC come with a default main route table and all the subnets of the VPC are associated to this main route table until you associate them to a custom route table.
  • If a subnet is associated to a route table redirecting all traffic to an internet gateway, it is called a public subnet.

We will create two custom route tables, one for each subnet.

In the VPC service, click on Route Tables in the left menu and then on the button Create route table:

  • Choose the name for your route tables, for example my-wonderful-vpc-public-route-table and my-wonderful-vpc-private-route-table
  • Choose the VPC created in step 1 (my-wonderful-vpc)

create-route-table-image.png

Now that the two routes tables, we are going to configure them. Let's start with the public one.

Go back to the Route Tables section and select the created route table my-wonderful-vpc-public-route-table:

  • Click on the tab Routes of the selected route table
  • Click on the button Edit routes
  • Add a new route with for destination 0.0.0.0/0 and for target your internet gateway ID igw-.... created in step 3 and click on Save Routes

configure-public-route-table-routes-image.png

  • Then, click on the tab Subnet Associations of the selected route table
  • Click on the button Edit subnet associations
  • Add your public subnet my-wonderful-vpc-public-subnet created in step 2 and click on Save

configure-public-route-table-subnet-association-image.png

By doing that, you have redirected all outgoing traffic of the public subnet to the internet gateway, what makes this subnet a public subnet.

Now, let's configure the private route table. Go back to the Route Tables tab and select the route table my-wonderful-vpc-private-route-table:

  • Click on the tab Routes of the selected route table
  • Click on the button Edit routes
  • Add a new route with for destination 0.0.0.0/0 and for target your NAT gateway ID nat-.... created in step 3 and click on Save Routes
  • Click on the tab Subnet Associations of the selected route table
  • Click on the button Edit subnet associations
  • Add your private subnet my-wonderful-vpc-private-subnet created in step 2 and click on Save

By doing that, you have redirected all traffic of the private subnet to the NAT gateway.

infra-step-4-image.png

5 - Create the lambda function and configure it

The hardest part is already done!

If you don't already have a lambda, go to the Lambda service, and then click on the button Create function:

  • Choose a name for your Lambda, for example my-wonderful-lambda
  • Select the Node.js runtime
  • In the section Permissions, select the choice create a new role with basic lambda permissions

configure-lambda-permissions-image.png

Once your lambda is created, click on it in the Lambda service and it will open the configuration page. Go down to the section Network and there, you must select 3 things:

  • your VPC created in step 1 (my-wonderful-vpc)
  • your private subnet created in step 2 (my-wonderful-vpc-private-subnet)
  • the default security group of your VPC, called by default your-vpc-name-default-security-group

configure-lambda-vpc-image.png



🔥🔥 Congrats, that's all, your AWS lambda function has access to Internet! 🔥🔥

infra-step-5-image.png



The end of this post is for people who wonders what is this mysterious default security group that I mentioned in the last step.

Bonus: Add more security with the security groups

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. You can create as many security groups in a VPC as you want. Security groups act at the instance level, not the subnet level. A security group can be associated to one or severals instances. By default, all security groups in a VPC allow all inbound and outbound traffic. You can add custom rules in a security group that control the inbound and outbound traffic.

Remark:
  • even if you don't create security groups, all VPC come with a default security group and all the instances of the VPC are associated to this default security group until you associate them to a custom security group

A good practice is to associate with each of your instance a security group with the strict minimum authorized traffic.

For example, if you have a RDS database (AWS relational database service), you will only need to accept inbound traffic from your lambda (or your other backend instance).

To do that, in the VPC service, click on Security Groups and then on the button Create security group.

Once created, go back to the Security Group tab, select your security group, go the Inbound Rules tab, and select Edit rules to add an inbound rule that allows only incoming traffic from the security group of your lambda instance to reach the RDS instance:

configure-security-group-inbound-rules-image.png

Then, go to the Outbound Rules tab, click on Edit rules to add an outbound rule that allows all traffic to leave the instance:

configure-security-group-outbound-rules-image.png

To finish, you just have to associate this security group to your RDS in its configuration page.

🔥 Congrats, that's all you have to do to protect your database from the outside.

I hope you have enjoyed and have learned new things in this post. Feel free to leave comments to help me improve it.

Charles de la Roche Saint André

Charles de la Roche Saint André

Web Developer at Theodo

Sours: https://blog.theodo.com/2020/01/internet-access-to-lambda-in-vpc/

Configuring a Lambda function to access resources in a VPC

You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your AWS account. Use Amazon Virtual Private Cloud (Amazon VPC) to create a private network for resources such as databases, cache instances, or internal services. Connect your function to the VPC to access private resources while the function is running.

When you connect a function to a VPC, Lambda creates an elastic network interface for each subnet in your function's VPC configuration. This process can take several minutes.

While Lambda creates a network interface, you can't perform additional operations that target the function, such as creating versions or updating the function's code. For new functions, you can't invoke the function until its state changes from to . For existing functions, you can still invoke an earlier version while the update is in progress. For more information about function states, see Lambda function states.

Multiple functions can share a network interface, if the functions share the same subnet and security group. Connecting additional functions to the same VPC configuration (subnet and security group) that has an existing Lambda-managed network interface is much quicker than having Lambda create additional network interfaces. However, if you have many functions or functions with high network usage, Lambda might still create additional network interfaces.

If your functions aren't active for a long period of time, Lambda reclaims its network interfaces, and the functions become . To reactivate an idle function, invoke it. This invocation fails, and the function enters a state again until a network interface is available.

Lambda functions can't connect directly to a VPC with dedicated instance tenancy. To connect to resources in a dedicated VPC, peer it to a second VPC with default tenancy.

Execution role and user permissions

Lambda uses your function's permissions to create and manage network interfaces. To connect to a VPC, your function's execution role must have the following permissions:

Execution role permissions

  • ec2:CreateNetworkInterface

  • ec2:DescribeNetworkInterfaces

  • ec2:DeleteNetworkInterface

These permissions are included in the AWS managed policy AWSLambdaVPCAccessExecutionRole.

When you configure VPC connectivity, Lambda uses your permissions to verify network resources. To configure a function to connect to a VPC, your AWS Identity and Access Management (IAM) user needs the following permissions:

User permissions

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSubnets

  • ec2:DescribeVpcs

Configuring VPC access (console)

If your IAM permissions allow you only to create Lambda functions that connect to your VPC, you must configure the VPC when you create the function. If your IAM permissions allow you to create functions that aren't connected to your VPC, you can add the VPC configuration after you create the function.

To configure a VPC when you create a function

  1. Open the Functions page on the Lambda console.

  2. Choose Create function.

  3. Under Basic information, for Function name, enter a name for your function.

  4. Expand Advanced settings.

  5. Under Network, choose a VPC for your function to access.

  6. Choose subnets and security groups. When you choose a security group, the console displays the inbound and outbound rules for that security group.

    Note

    To access private resources, connect your function to private subnets. If your function needs internet access, use network address translation (NAT). Connecting a function to a public subnet doesn't give it internet access or a public IP address.

  7. Choose Create function.

To configure a VPC for an existing function

  1. Open the Functions page on the Lambda console.

  2. Choose a function.

  3. Choose Configuration and then choose VPC.

  4. Under VPC, choose Edit.

  5. Choose a VPC, subnets, and security groups.

    Note

    To access private resources, connect your function to private subnets. If your function needs internet access, use network address translation (NAT). Connecting a function to a public subnet doesn't give it internet access or a public IP address.

  6. Choose Save.

Configuring VPC access (API)

To connect a Lambda function to a VPC, you can use the following API operations:

To create a function and connect it to a VPC using the AWS Command Line Interface (AWS CLI), you can use the command with the option. The following example creates a function with a connection to a VPC with two subnets and one security group.

To connect an existing function to a VPC, use the command with the option.

To disconnect your function from a VPC, update the function configuration with an empty list of subnets and security groups.

Using IAM condition keys for VPC settings

You can use Lambda-specific condition keys for VPC settings to provide additional permission controls for your Lambda functions. For example, you can require that all functions in your organization are connected to a VPC. You can also specify the subnets and security groups that the function's users can and can't use.

Lambda supports the following condition keys in IAM policies:

  • lambda:VpcIds – Allow or deny one or more VPCs.

  • lambda:SubnetIds – Allow or deny one or more subnets.

  • lambda:SecurityGroupIds – Allow or deny one or more security groups.

The Lambda API operations CreateFunction and UpdateFunctionConfiguration support these condition keys. For more information about using condition keys in IAM policies, see IAM JSON Policy Elements: Condition in the IAM User Guide.

Tip

If your function already includes a VPC configuration from a previous API request, you can send an request without the VPC configuration.

Example policies with condition keys for VPC settings

The following examples demonstrate how to use condition keys for VPC settings. After you create a policy statement with the desired restrictions, append the policy statement for the target IAM user or role.

Ensure that users deploy only VPC-connected functions

To ensure that all users deploy only VPC-connected functions, you can deny function create and update operations that don't include a valid VPC ID.

Note that VPC ID is not an input parameter to the or request. Lambda retrieves the VPC ID value based on the subnet and security group parameters.

Deny users access to specific VPCs, subnets, or security groups

To deny users access to specific VPCs, use to check the value of the condition. The following example denies users access to and .

To deny users access to specific subnets, use to check the value of the condition. The following example denies users access to and .

To deny users access to specific security groups, use to check the value of the condition. The following example denies users access to and .

Allow users to create and update functions with specific VPC settings

To allow users to access specific VPCs, use to check the value of the condition. The following example allows users to access and .

To allow users to access specific subnets, use to check the value of the condition. The following example allows users to access and .

To allow users to access specific security groups, use to check the value of the condition. The following example allows users to access and .

Internet and service access for VPC-connected functions

By default, Lambda runs your functions in a secure VPC with access to AWS services and the internet. Lambda owns this VPC, which isn't connected to your account's default VPC. When you connect a function to a VPC in your account, the function can't access the internet unless your VPC provides access.

Note

Several AWS services offer VPC endpoints. You can use VPC endpoints to connect to AWS services from within a VPC without internet access.

Internet access from a private subnet requires network address translation (NAT). To give your function access to the internet, route outbound traffic to a NAT gateway in a public subnet. The NAT gateway has a public IP address and can connect to the internet through the VPC's internet gateway. An idle NAT gateway connection will time out after 350 seconds. For more information, see How do I give internet access to my Lambda function in a VPC?

VPC tutorials

In the following tutorials, you connect a Lambda function to resources in your VPC.

Sample VPC configurations

You can use the following sample AWS CloudFormation templates to create VPC configurations to use with Lambda functions. There are two templates available in this guide's GitHub repository:

  • vpc-private.yaml – A VPC with two private subnets and VPC endpoints for Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB. Use this template to create a VPC for functions that don't need internet access. This configuration supports use of Amazon S3 and DynamoDB with the AWS SDKs, and access to database resources in the same VPC over a local network connection.

  • vpc-privatepublic.yaml – A VPC with two private subnets, VPC endpoints, a public subnet with a NAT gateway, and an internet gateway. Internet-bound traffic from functions in the private subnets is routed to the NAT gateway using a route table.

To create a VPC using a template, on the AWS CloudFormation console Stacks page, choose Create stack, and then follow the instructions in the Create stack wizard.

Sours: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
  1. Six moon designs
  2. Valorant emoji discord
  3. Fine dining fargo
  4. Main st catskill ny

AWS Lambda connecting to Internet

By default, a lambda function is not bounded to a VPC, which enables it to have internet access, but prevents it from accessing resources in a VPC, such as RDS instances.

If you attach the lambda to a VPC, you'll loose internet access, which prevents you from accessing resources such S3 and Dynamo, and from making HTTP requests.

If you need both, then I'll have to set up the VPC for internet access, which is a mess (hey AWS guys, if you have a well-defined process for it, please make it simple: turn it into a checkbox or button ;)

Create a new VPC

I find it's best to leave the default VPC alone, so you don't take the risk of breaking something that's already working in that VPC (in case you already have resources there), and also because you can use the default VPC as configuration reference in the future.

Use the wizard for creating the VPC.

enter image description here

Create the Route Tables

  1. Name the first (if it's not already there);
  2. Name the second . AWS support recommends having a separate subnet just for the lambda, and this Route Table is going to be attached to it.

enter image description here

Create the subnets

By default, when you create a VPC, it will create a public subnet for you. If you used default values, its name should be . Leave it at that.

Now you are going to create the private subnets. Is recommended to have several private subnets for your Lambda if you want it to have high availability.

Each of these private subnets will be linked to the VPC you just created. Now, supposing you left the VPC IP as , and that you run your resources in Virginia (), here is a template for creating six private subnets, each in a different availability zone (for high availability):

  1. , availability zone , IP block
  2. , availability zone , IP block
  3. , availability zone , IP block
  4. , availability zone , IP block
  5. , availability zone , IP block
  6. , availability zone , IP block

But you can see the pattern: - There's a 16 increment in the 3rd position of the IP block; - The names indicate the selected availability zone in your region.

enter image description here

Ensure Route Table vs Subnet associations

  • Go to the Route Tables panel;
  • Select the public-subnet table, review its associations and make sure it's associated to the Public Subnet;
  • Select the private-lambda table, review its associations and make sure It's associated to all the subnets you just created.

enter image description here

Create an Internet Gateway

Just create one and attach it to the VPC.

Configure the routes for the Public Subnet

In my case it came configured, but just make sure that the Route Table for your Public Subnet has an entry from to your just-created Internet Gateway.

enter image description here

Create a NAT (network address translator)

Create a new NAT and select your Public Subnet. Allocate a new EIP.

Configure the routes for the Private Subnets

Ensure that the Route Table for your Private Subnets has an entry from to your new NAT.

enter image description here

And with these steps, you should now have an Internet-enabled VPC.


Use Case: configuring a Lambda for internet and RDS access

Create a Security Group for the lambda

  • New up a SG and configure Outbound -> All Trafic -> to and

Modify the Security Group of your RDS instance to allow

  • Inbound -> All trafic -> from the lambda SG

Configure the lambda

  • Create a new lambda or select an existing one;
  • Select your new VPC;
  • Select all your private subnets () for high availability;
  • Select your lambda Security Group.

And that's it. You should now have a lambda function that can access both VPC and Internet resources :)

answered Mar 20 '19 at 18:33

Phillippe SantanaPhillippe Santana

2,12722 gold badges2424 silver badges2828 bronze badges

Sours: https://stackoverflow.com/questions/37135725/aws-lambda-connecting-to-internet
AWS Knowledge Center Videos: How do I give internet access to my Lambda function in a VPC?

How do I give internet access to a Lambda function that's connected to an Amazon VPC?

I want my AWS Lambda function that's connected to an Amazon Virtual Private Cloud (Amazon VPC) to have access to the internet. How do I set that up?

Short description

Resolution

(Optional) Create a new Amazon VPC using the VPC Wizard in the AWS Management Console

Note: If you use the VPC wizard to create a new Amazon VPC, then you can skip ahead to the following section: Create a Lambda execution role for your VPC.

1.    Open the VPC wizard in the AWS Management Console.

2.    Choose VPC with Public and Private Subnets. The new Public subnet and Private subnet, including their associated internet gateway and NAT gateway, appear in the Amazon VPC console.

Create a public subnet and one or more private subnets in your Amazon VPC

For instructions, see Create a subnet in your VPC to create each of your subnets.

When you create the subnets, for Name tag, enter a name for each subnet that identifies it as being either public or private. For example: Public subnet, Private lambda 1, and Private lambda 2.

Note: It's a best practice to create more than one private subnet across different Availability Zones. This practice creates redundancy and allows the Lambda service to maintain high availability for your function.

Create an internet gateway and attach it to your Amazon VPC

Create a NAT gateway

For instructions, see Create a NAT gateway. When you create the NAT gateway, for Subnet, choose the subnet that you want to make public. (From the previous example: Public subnet.)

Note: To test your NAT gateway setup, see Test the public NAT gateway in the Amazon VPC user guide.

Create two custom route tables—one for your public subnet and one for your private subnet

Note: An Amazon VPC-connected Lambda function randomly selects an associated subnet when making requests. All subnets that your function uses should have the same configuration to prevent random errors caused by Lambda using a misconfigured subnet.

For instructions, see Create a custom route table. When you create the route tables, for Name tag, enter a name for each route table that helps you identify which subnet it's associated with. For example: Public subnet and Private Lambda.

For each route table, make sure that you do the following:

For the public subnet's route table

1.    Associate public subnet's route table (Public subnet) with the subnet that you want to make public.

2.    Add a new route to the route table that includes the following configurations:
For Destination, enter 0.0.0.0/0.
For Target, choose Internet Gateway, and then choose the ID (igw-123example) of the internet gateway that you created.
Choose Save routes.

For the private subnet's route table

1.    Associate the private subnet's route table (Private Lambda) with the private subnets.

2.    Add a new route to the route table that includes the following configurations:
For Destination, enter 0.0.0.0/0.
For Target, choose NAT Gateway. Then, choose the ID of the NAT gateway (nat-123example) that you created.
Important: If you're using a NAT instance, choose Network Interface instead.
Choose Save routes.

Note: Make sure that the routes to your NAT gateway are in an active status. If the NAT gateway is deleted and you haven't updated the routes, they're in a blackhole status. For more information, see Updating your route table.

Verify that your network ACL allows outbound requests from your Lambda function, and inbound traffic as needed

Create a Lambda execution role for your VPC

1.    Open the Roles page in the AWS Identity and Access Management (IAM) console.

2.    Choose Create role. The Create role page opens.

3.    On the Create role page, do the following:
For Select type of trusted entity, choose AWS service.
For Common use cases, choose Lambda.
Choose Next: Permissions.
Under Attach permissions policies, search for AWSLambdaVPCAccessExecutionRole. Select the policy with that name. Then, choose Next: Tags.
(Optional) Add tags for your use case.
Choose Next: Review.
For Role name, enter a name for your Lambda execution role. For example: lambda_vpc_basic_execution.
(Optional) For Role description, enter a description of the role.
Choose Create role.

For more information, see AWS Lambda execution role and Creating an execution role in the IAM console.

Configure your Lambda function to connect to your Amazon VPC

1.    Open the Functions page in the Lambda console.

2.    Choose the name of the function that you want to connect to your Amazon VPC.

3.    Choose Configuration.

4.    Under Execution role, for Existing role, choose the Lambda execution role that you created.

5.    Under VPC, choose Edit. Then, do the following:
For Virtual Private Cloud (VPC), choose your VPC.
For Subnets, select the private subnets that you created. Identify them by their subnet IDs (and names, if you named them).
For Security groups, choose a security group.
Note: The default security group allows all outbound internet traffic and is sufficient for most use cases. For more information, see Security Groups for Your VPC.
Choose Save.


Sours: https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/

Internet access lambda aws

Internet access for lambda in VPC

AWS resources living inside a VPC have some security layers attached to them and AWS Lambda is one of very common such scenarios, where your code is only accessible if allowed or can connect to internet ( to access dynamodb, ec2 instances etc) if needed through VPC configurations.

How to attach VPC to your lambdas:

  1. Create 2 new private subnets particulalrly for your lambdas and label them in such a way so that they are distinguishable as private subnets.
  2. If delegeted VPC has no Internet Gateway attached, create one and attach to VPC.
  3. Create a NAT Gateway and give it a public subnet. (create if not avail)
  4. In Route Table tab, there must be 2 route tables, one for your private subnets/lambdas and other for public subnets.
    Associate public subnets to route table specified for public subnets with below configuration

  5. Associate private subnets to other route table with below configuration

  6. Create a role with policy AWSLambdaVPCAccessExecutionRole and attach it to all lambas that need public access.

  7. Attach VPC and private subnets to your lambdas.

Cheers :)

Sours: https://dev.to/afrazkhan/internet-access-for-lambda-in-vpc-3bjp
AWS re:Invent 2020: AWS Lambda networking best practices

AWS recommend you don’t connect Lambda functions to a VPC unless absolutely necessary. This is solid advice because doing so brings several limitations that a standard function doesn’t suffer from.

One of these limitations is that your Lambda function can no longer access the internet. What many people don’t realise is that communicating with other AWS resources inside your account from your function also requires internet access (think S3, SNS, SQS, etc). This makes many common VPC use cases tricky to implement with Lambda.

Let’s take the example of a scheduled Lambda function that runs a daily report by performing a SQL query against an RDS database. Based on this query result, it then adds messages to an SQS queue for processing. VPC access is required to access the RDS database and internet access is required to post to SQS. How can you do both?

The typically recommended solution is to set up a NAT Gateway which allows your VPC-enabled Lambda running in private subnets to connect to a public subnet that has an internet gateway set up.

Eugh! 😩 The last thing I want to be doing is network configuration. Never mind the extra billing cost that I’ll incur since NAT Gateways are billed both by the hour and per GB of data processed. Pretty far from the serverless way.

Using a VPC proxy Lambda function

An alternative solution I’ve used when faced with this problem is to create what I call a “VPC proxy Lambda function”. Instead of having one Lambda function that does all your work, you have two. The first Lambda function, let’s call it (per our earlier example), is the entrypoint. It’s triggered by an event (e.g. a CloudWatch schedule rule) and it’s NOT configured to run inside the VPC. Its job is to orchestrate all I/O calls that need to be performed.

The second Lambda function is our VPC proxy, let’s call it . It’s configured to run inside the VPC and its sole responsibility is to connect to the RDS cluster, perform a query and return the result. It has no triggers configured.

VPC Proxy Lambda Function Pattern

The key thing here is that the function uses the AWS Lambda API to synchronously invoke the function, with . This means that it will wait for the response to be returned before proceeding. Once it gets the result back, it can then parse it and post jobs to SQS.

Despite executing inside the VPC, the function is still accessible to functions outside the VPC because the calling function () interacts with the AWS Lambda service API, which, like all the other AWS service APIs, is internet facing. It does not need to connect directly to the underlying container inside the VPC where the target function is executed.

Limitations

There are a few limitations to be aware of with this approach.

Firstly, since you’re now using 2 Lambdas instead of 1, you will be paying for the execution time of both. While your VPC proxy function is executing and waiting on the database query to return, your entrypoint function will also still be executing (albeit it will be idle while waiting for the proxy function to return). This is why you might hear people saying that one Lambda function directly invoking another Lambda synchronously is an anti-pattern. I’d usually agree with that, but this use case is a valid exception IMO.

Another minor limitation is that there will be a small additional latency as you need to account for the delay in invoking 2 functions in series (cold or warm start) instead of 1. This should not be an issue if your use case is not user facing.

Originally published .

Other articles you might enjoy:

Free Email Course

How to transition your team to a serverless-first mindset

In this 5-day email course, you’ll learn:

  • Lesson 1: Why serverless is inevitable
  • Lesson 2: How to identify a candidate project for your first serverless application
  • Lesson 3: How to compose the building blocks that AWS provides
  • Lesson 4: Common mistakes to avoid when building your first serverless application
  • Lesson 5: How to break ground on your first serverless project
Sours: https://serverlessfirst.com/lambda-vpc-internet-access-no-nat-gateway/

You will also be interested:

Troubleshoot networking issues in Lambda

By default, Lambda runs your functions in an internal virtual private cloud (VPC) with connectivity to AWS services and the internet. To access local network resources, you can configure your function to connect to a VPC in your account. When you use this feature, you manage the function's internet access and network connectivity with VPC resources.

Network connectivity errors can result from issues in routing configuration, security group rules, role permissions, network address translation, or the availability of resources such as IP addresses or network interfaces. They may result in a specific error or, if a request can't reach its destination, a timeout.

VPC: Function loses internet access or times out

Issue:Function loses internet access after connecting to a VPC

Error:Error: connect ETIMEDOUT 176.32.98.189:443

Error:Error: Task timed out after 10.00 seconds

When you connect a function to a VPC, all outbound requests go through your VPC. To connect to the internet, configure your VPC to send outbound traffic from the function's subnet to a NAT gateway in a public subnet. For more information and sample VPC configurations, see Internet and service access for VPC-connected functions.

VPC: Function needs access to AWS services without using the internet

Issue:Function needs access to AWS services without using the internet

To connect to AWS services from a private subnet with no internet access, use VPC endpoints. For a sample template with VPC endpoints for DynamoDB and Amazon S3, see Sample VPC configurations.

VPC: Limit was reached for the function's VPC

Error:ENILimitReachedException: The elastic network interface limit was reached for the function's VPC.

When you connect a function to a VPC, Lambda creates an elastic network interface for each combination of subnet and security group attached to the function. These network interfaces are limited to 250 per VPC, but this limit can be increased. To request an increase, use the Support Center console.

Sours: https://docs.aws.amazon.com/lambda/latest/dg/troubleshooting-networking.html


477 478 479 480 481