Reputation: 8224
AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access
As per this document, if I need to access internet resources from my Lambda function with VPC access, I need to set up a NAT gateway.
So I followed this guide to set up a NAT gateway. However, at the stage when I need to edit the route tables of my subnet to add an entry with destination: 0.0.0.0/0 and target as my NAT gateway's id, I got an error that
An entry with this destination already exists
I checked and noticed that for that existing entry, the target was an internet gateway for my VPC. If I replace that entry with the NAT gateway id, I cannot access any of the EC2 instances in that VPC through SSH from the outside world. How can I achieve a solution where all the EC2 instances in this VPC:
- Are accessible only via SSH and the rest of the traffic is blocked
- Are able to completely access other EC2 instances in the same VPC
- Lambda function having access to this VPC can access outside resources like SQS and Kinesis.
Upvotes: 42
Views: 34098
Answers (6)
Reputation: 33
For using your Lambda inside of your VPC and internet access:
I believe, most of you already have IGW ,that you're working with inside of your VPC and working with internet,so no need create a new one.
Steps worked for me:
Create a new subnets (recommended 2 or more) under your main VPC. Give it new CIDR with a mask ,you think it'll be count of network interfaces use in your Lambda.(I did X.X.X.X/28 , because for us it's enough)
Create NAT Gateway , add to it Elastic IP or create new EIP and add it to your main Subnet under your VPC. (remember it'll work if you already have Internet Gateway)
Create Route table and add 0.0.0.0/0 route to Target - Nat Gateway ID (nat-xxxxxxxxxxxxxxxxx)that we've created (step 2)
Create new Security Groups (ALL to ALL) for your lambda to work with internet. I believe it's secure to add 0.0.0.0/0 to lambda for internet.
Open lambda - choose your VPC, add SG that's you're working with and add new created from the step 4 to work with internet. press Save and Test.
Upvotes: 1
Reputation: 1822
Hey guys I developed a step by step tutorial with explicit screenshots about it:
Part I
- Create a lambda function in AWS
- Create an API Gateway to redirect all the requests to your AWS Lambda Function https://medium.com/@shontauro/how-can-i-turn-my-restful-api-into-a-serverless-application-and-deploy-it-to-aws-lambda-step-by-ec7ce38e18be
Part II
- Configure a VPC for your lambda function
- Grant internet access to the lambda function in a safety way
- Deploy the Node.js Restful API into your Lambda Function https://medium.com/@shontauro/how-can-i-turn-my-restful-api-into-a-serverless-application-and-deploy-it-to-aws-lambda-step-by-8ff6cc97780f
Upvotes: 3
Reputation: 612
You actually don't need to create Internet and NAT gateways anymore:https://aws.amazon.com/blogs/security/how-to-connect-to-aws-secrets-manager-service-within-a-virtual-private-cloud/
Upvotes: -2
Reputation: 5214
I found a good detailed tutorial on how to allow your lambda to connect to both VPC ressources and the internet here: https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7
A quick walk-through:
- setup new subnets for your lambda (with CIDRs not overlapping your existing subnets). You need:
- one subnet which will be pointing to an Internet Gateway (IGW) to be used by the NAT (let's call it A)
- several pointing to the NAT to be used by your lambda (B, C and D)
- add a NAT gateway: set the subnet to A
- set your lambda VPC subnets to B, C and D
- create 2 routes table:
- one that points to your NAT with destination 0.0.0.0/0
- one that points to your IGW (should already exists) with destination 0.0.0.0/0
- update the subnet A to use the route table pointing to the IGW
- update the subnets B, C and D to use the route table pointing to the NAT
Hope this helps.
Upvotes: 52
Reputation: 179084
You need two different subnets. It sounds as if you only have one.
Lambda can only use private subnets inside VPC.
Definition of a private subnet: the default route is a NAT instance (which most be on a different, public subnet) or a NAT Gateway, and no machines in the subnet have a public IP address. Machines with public IP addresses are allowed on a private subnet, but for the most part, they will not work properly, because this is technically a misconfiguration.
Definition of a public subnet: the default route is the igw-xxxxxxxx Internet Gateway object, and machines have public IP addresses assigned. Machines without public IP addresses are allowed on a public subnet, but they will not be able to access the Internet, because this is a misconfiguration.
It sounds like you are trying to change your existing subnet from public to private by changing the default route. As expected, this breaks other things.
See also Why do we need private subnet in VPC?
Upvotes: 11
Reputation: 10566
You need both the IGW and the NAT gateway for this to work.
In the public subnets (ones you want to reach from outside) point the 0.0.0.0/0 traffic to the IGW gateway. The NAT gateway itself needs to sit in one of these public subnets.
In the private subnets that you want to NAT point 0.0.0.0/0 traffic to the NAT gateway elastic network interface.
If 0.0.0.0/0 is aleady bound to the gateway you need to remove that and add it pointing the NAT gateway.
See: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
Upvotes: 38
Related Questions
- Invoking a Lambda function from another Lambda Function Inside of a VPC
- Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet?
- AWS VPC with both internet gateway and NAT
- AWS Lambda in VPC sometimes doesn't have internet access
- NAT Gateway with Internet Gateway and lambda
- AWS Lambda Function in VPC With Internet Gateway Still Can't access Internet
- AWS Lambda function using Boto3 timeout