Reputation: 2378
I'm trying to access AWS Elasticache cluster from a Lambda function using Serverless framework (v 0.5.6) without loosing access to Dynamodb. I have tried using this Gist with no luck. Inside the Lambda function, first thing I do is to connect to the Redis instance but I keep getting timeouts, I have double checked CloudFormation outputs variables and its visibility inside the function and Lambda Roles/Policies for VPC but still nothing... I haven't found either any guide on how to create VPCs and Security Groups with CloudFormation and Serverless in order to create Public and Private subnets, NATs and Internet gateways as suggested here. Can anyone help?
Upvotes: 6
Views: 8264
Reputation: 844
Adding summary of how I setuped this:
create a new VPC
create 3 private subnets and 2 public subnet
create a security group
create a new IGW
create a new NAT
we need 2 route tables
lambda configuration
references:
https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/
https://docs.aws.amazon.com/lambda/latest/dg/services-elasticache-tutorial.html
Upvotes: 0
Reputation: 476
While it's not properly documented, you can actually configure VPC directly in the serverless config file (see link)
Version 0.5
# s-function.json
{
"name": "hello",
"runtime": "nodejs4.3",
"handler": "handler.hello”,
"endpoints": [],
"events": [],
"vpc": {
"securityGroupIds": ["sg-123456"],
"subnetIds": [
"subnet-abc1",
"subnet-abc2",
"subnet-abc3",
]
}
}
Version 1.0
# serverless.yaml
service: aws-hello
provider: aws
runtime: nodejs4.3
vpc:
securityGroupIds:
— "sg-123456"
subnetIds:
— "subnet-abc1"
— "subnet-abc1"
— "subnet-abc1"
functions:
foo: # inherits the VPC config
handler: src/handler.foo
bar: # overwrites the VPC config
handler: src/handler.bar
vpc:
securityGroupIds:
— "sg-999999"
subnetIds:
— "subnet-zzz9"
Upvotes: 2
Reputation: 200998
You will have to place the Lambda function inside the VPC that the ElastiCache cluster resides in. Of course once you do that the Lambda function only has access to resources that exist inside the VPC, so it will no longer have access to DynamoDB. The solution to that is to add a NAT gateway to the VPC, which will allow the Lambda function to access resources outside the VPC.
I would think that setting up the VPC and NAT gateway would fall outside the Serverless framework, but I'm not an expert in that framework. I would suggest looking into configuring that manually via the AWS console or doing it through something like CloudFormation, and then simply specifying in your Serverless framework configuration the VPC that it needs to use.
Upvotes: 5