Carlos Castellanos
Carlos Castellanos

Reputation: 2378

Connect Lambda to Elasticache using Serverless framework

I'm trying to access AWS Elasticache cluster from a Lambda function using Serverless framework (v 0.5.6) without loosing access to Dynamodb. I have tried using this Gist with no luck. Inside the Lambda function, first thing I do is to connect to the Redis instance but I keep getting timeouts, I have double checked CloudFormation outputs variables and its visibility inside the function and Lambda Roles/Policies for VPC but still nothing... I haven't found either any guide on how to create VPCs and Security Groups with CloudFormation and Serverless in order to create Public and Private subnets, NATs and Internet gateways as suggested here. Can anyone help?

Upvotes: 6

Views: 8264

Answers (3)

Dhruv garg
Dhruv garg

Reputation: 844

Adding summary of how I setuped this:

  • create a new VPC

  • create 3 private subnets and 2 public subnet

    • multiple subnets are created for redundancy
  • create a security group

    • with inbound traffic to
      • elastic cache port
    • with outbound traffic to
      • all ports for internet access
  • create a new IGW

    • attach this IGW with VPC
  • create a new NAT

    • select a public lambda
    • public connectivity type
  • we need 2 route tables

    • 1 for private subnets
      • this will have NAT and private subnets
    • another for public subnet with internet access
      • this will have IGW and public subnets
  • lambda configuration

    • attach IAM policies to lambda functions : AWSLambdaVPCAccessExecutionRole
    • attach private subnets to lambda
    • select security group for lambda

references:

https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/

https://docs.aws.amazon.com/lambda/latest/dg/services-elasticache-tutorial.html

Upvotes: 0

trajan
trajan

Reputation: 476

While it's not properly documented, you can actually configure VPC directly in the serverless config file (see link)

Version 0.5

# s-function.json

{
 "name": "hello",
 "runtime": "nodejs4.3",
 "handler": "handler.hello”,
 "endpoints": [],
 "events": [],
 "vpc": {
    "securityGroupIds": ["sg-123456"],
    "subnetIds": [
      "subnet-abc1",
      "subnet-abc2",
      "subnet-abc3",
    ]
  }
}

Version 1.0

# serverless.yaml

service: aws-hello
provider: aws
  runtime: nodejs4.3
  vpc:
    securityGroupIds:
      — "sg-123456"
    subnetIds:
      — "subnet-abc1"
      — "subnet-abc1"
      — "subnet-abc1"
functions:
   foo:                           # inherits the VPC config
     handler: src/handler.foo
   bar:                           # overwrites the VPC config
     handler: src/handler.bar
     vpc:
       securityGroupIds:
         — "sg-999999"
       subnetIds:
         — "subnet-zzz9"

Upvotes: 2

Mark B
Mark B

Reputation: 200998

You will have to place the Lambda function inside the VPC that the ElastiCache cluster resides in. Of course once you do that the Lambda function only has access to resources that exist inside the VPC, so it will no longer have access to DynamoDB. The solution to that is to add a NAT gateway to the VPC, which will allow the Lambda function to access resources outside the VPC.

I would think that setting up the VPC and NAT gateway would fall outside the Serverless framework, but I'm not an expert in that framework. I would suggest looking into configuring that manually via the AWS console or doing it through something like CloudFormation, and then simply specifying in your Serverless framework configuration the VPC that it needs to use.

Upvotes: 5

Related Questions