Reputation: 195
AWS Lambda function can't invoke another Lambda function in the same VPC
I created one VPC 10.5.0.0/16 with 2 subnets (10.5.1.0/24, 10.5.4.0/24).
I created a security security group:
Inbound rules:
Type Protocol Port range Source Description - optional
All traffic All All 0.0.0.0/0 allowing traffic from same security group
All traffic All All ::/0 allowing traffic from same security group
Outbound rules:
Type Protocol Port range Source Description - optional
All traffic All All 0.0.0.0/0 allowing traffic from same security group
All traffic All All ::/0 allowing traffic from same security group
Now I created 2 Lambda functions with proper IAM Role (which contains invoke policy). These 2 Lambda functions are in same VPC, subnets and security groups.
Case 1:
- I am able to invoke Lambda 2 from Lambda 1 successfully when the Lambda functions are not attached with VPC subnets and security groups
Case 2:
- I am not able to invoke Lambda 2 from Lambda 1 when these are in same VPC
I think I am missing something but i can't figure out it. Any suggestions?
Upvotes: 10
Views: 7031
Answers (5)
Reputation: 1
I have had same issue. We have 2 lambdas running in same VPC , with same Subnets and same Route table. Still Lambda1 was unable to call Lambda2. While going through this post i realized that invoke permission is the issue. So I created invoke function permission in Lambda2 (Service being called) as below. Lambda - Permissions - Resource-based Policy statements -> Add permissions - for AWS Service -> in that for "service" i selected API Gateway and in the "Source ARN" entered ARN of the Lambda2 (Service being called).
And it worked.
Upvotes: 0
Reputation: 146
It turns out after introduction of AWS PrivateLink for AWS Lambda, its possible to invoke one lambda from another, with both of them on a VPC, that does not need internet access.
Some nice tutorials can be found here (must read):
- https://aws.amazon.com/blogs/aws/new-use-aws-privatelink-to-access-aws-lambda-over-private-aws-network/
- https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-endpoints.html
Here's what is did that worked (there might be redundant steps, but it worked):
- Created a new Security Group (
sg-abc) and assigned it to both the lambdas - Modified the default SG and allowed inbound traffic from
sg-abcon All Traffic, also modifiedsg-abcto allow All Trafic from default SG - Created a new Endpoint of
com.amazonaws.ap-south-1.lambda(use your preferred location) and assigned the default SG andsg-abcboth. - Modified my first Lambda's Resources to allow
lambda:Invoke(i'm usingserverless.yml) - Thats it ! i was now able to invoke one lambda from another ! without needing to setup NAT, IGW and stuff. It's so much easier this way
Upvotes: 4
Reputation: 269101
Regarding the Security Groups...
Calls made to invoke an AWS Lambda function are made to the AWS Lambda service, which lives on the Internet.
If Lambda-1 invokes Lambda-2, there is no need for them to be in the same VPC and there is no need for them to be accessible to each other via a Security Group.
In fact, the normal security group configuration for security groups on AWS Lambda functions are:
- Inbound: No inbound rules are required because functions are invoked by the AWS Service. Nothing connects 'to' an AWS Lambda function.
- Outbound: It is normal to permit all outbound traffic because you can 'trust' your own code.
Example
Let's say that you have an AWS Lambda function calling an Amazon RDS database. The configuration would be:
- A security group on the Lambda function (
Lambda-SG) with no inbound rules, default outbound rules (All Traffic) - A security group on the RDS database (
RDS-SG) that permits all inbound connections fromLambda-SGand default outbound rules (All Traffic)
This means that the Lambda function can communicate with the RDS database (since RDS-SG specifically references Lambda-SG) but nothing else would be permitted to access the RDS database.
Upvotes: 1
Reputation: 238051
i think iam missing something but i can't figure out it
Unfortunately, the only way to invoke lambda is through a public lambda service endpoint. Since lambda function in a VPC does not have internet access nor public IP, you can't invoke one lambda function from other one in VPC, without access to the internet. From docs:
Connecting a function to a public subnet does not give it internet access or a public IP address.
The fact that they are in the same VPC or even same subnet is irrelevant sadly.
To rectify the issue the invoking function must have access to the internet, since lambda service does not have VPC interface endpoint. This can be achieved by placing it in a private subnet and using NAT gateway/instance with correctly configured route tables to provide the access.
Upvotes: 13
Reputation: 12259
Lambdas inside VPC without a NAT gateway don't have internet access. Invoking lambda function requires the caller being able to connect to AWS APIs. This typically means that the caller needs to have internet access. While the exceptions are the services that support VPC endpoints, in this case, caller inside the VPC can connect to service APIs privately. Unfortunately, lambda isn't one of the services that support VPC endpoints.
Upvotes: 2
Related Questions
- Invoking a Lambda function from another Lambda Function Inside of a VPC
- AWS call Lambda inside VPC to another Lambda in another VPC
- AWS Lambda function via Function URL invoke only within VPC
- Is there a way that invoke a AWS Lambda function between different VPC?
- Invoking a Lambda function from within another Lambda function not getting invoked
- Invoke aws lambda from aws lambda in same vpc
- Unable to invoke second lambda within VPC - Python AWS Lamba Function
- AWS Lambda unable to invoke another AWS Lambda with No VPC - NodeJs
- Issue with VPC attached to Lambda function
- aws lambda: invoke function via other lambda function