Reputation: 193
AWS Lambda Function cannot access other services
I have a problem with an AWS Lambda Function which depends upon DynamoDB and SQS to function properly. When I try to run the lambda stack, they time out when trying to connect to the SQS service. The AWS Lambda Function lies inside a VPC with the following setup:
- A VPC with four subnets
- Two subsets are public, routing their 0.0.0.0/16 traffic to an internet gateway
- A MySQL server sits in a public subnet
- The other two contain the lambdas and route their 0.0.0.0/16 traffic to a NAT which lives in one of the public subnets.
- All route tables have a 10.0.0.0/16 to local rule (is this the problem because Lambdas use private Ip's inside a VPC?)
- The main rout table is the one with the NAT, but I explicitly associated the public nets with the internet gateway routing table
- The lambdas and the mysql server share a security group which allows for inbound internal access (10.x/16) as well as unrestricted outbound traffic (0.0.0.0/16).
Traffic between lambdas and the mysql instance is no problem (except if I put the lambdas outside the VPC, then they can't access the server even if I open up all ports). Assume the code for the lambdas is also correct, as it worked before I tried to mask it in a private net. Also the lambda execution roles have been set accordingly (or do they need adjustments after moving them to a private net?).
Adding a dynamodb endpoint solved the problems with the database, but there are no VPC endpoints available for some of the other services. Following some answers I found here, here, here and in the announcements / tutorials here and here, I am pretty sure I followed all the recommended steps.
I would be very thankful and glad for any hints where to check next, as I have currently no idea what could be the problem here.
EDIT: The function don't seem to have any internet access at all, since a toy example I checked also timed out:
import urllib.request
def lambda_handler(event, context):
test = urllib.request.urlopen(url="http://www.google.de")
return test.status
Upvotes: 1
Views: 1012
Answers (2)
Reputation: 193
Of course the problem was sitting in front of the monitor again. Instead of routing 0.0.0.0/0 (any traffic) to the internet gateway, I had just specified 0.0.0.0/16 (traffic from machines with an 0.0.x.x ip) to the gate. Since no machines with such ip exists any traffic was blocked from entering leaving the VPC.
@John Rotenstein: Thx, though for the hint about lambdash. It seems like a very helpful tool.
Upvotes: 2
Reputation: 269101
Your configuration sounds correct.
You should test the configuration to see whether you can access any public Internet sites, then test connecting to AWS.
You could either write a Lambda function that attempts such connections or you could use lambdash that effectively gives you a remote shell running on Lambda. This way, you can easily test connectivity from the command line, such as curl.
Upvotes: 1
Related Questions
- aws lambda cannot call webservice from another vpc
- Lambda in VPC cannot connect to AWS services
- AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access
- AWS Lambda unable to ping EC2 instance within VPC
- AWS Lambda Function in VPC Not Working With S3 Endpoint
- AWS Lambda Function in VPC With Internet Gateway Still Can't access Internet
- Issue with VPC attached to Lambda function
- AWS lambda function can't reach the internet
- AWS Lambda Function not joining VPC
- AWS lambda function ConnectionError when configured with VPC