Reputation: 339
Lambda boto3 client running in VPC cannot access APIGateway AWS API (not a custom created API, AWS's actual APIGW service)
Google has a really hard time distinguishing these concepts apart:
Created API from APIGW -> your lambda
Your lambda -> calling aws api to get OR create APIGW resources like new API keys, etc.
I need the latter (2).
I have a python boto3 client running in a lambda function which calls the function get_rest_apis from API gateway itself (list the APIs ive created, as can be seen in aws account web console).
Lambda function invocation fails to actually reach amazon's service
"Connect timeout on endpoint URL: \"https://apigateway.us-east-2.amazonaws.com/"
This Lambda func is required to live in the VPC, because it also accesses private resources only there. Lambda is in public subnets of VPC with security group which allows all inbound+outbound.
Also - To be clear, the lambda code which grabs the APIGW data using the api client succeeds at reaching this URL only if the lambda runs outside the VPC (if i remove vpc config entirely and lambda runs on aws side). I cannot solve it this way, as it's required to actually work in bounds of VPC.
The lambda is allocated on a public subnet which can access the internet through an Internet Gateway, as every other resource on the public subnet does.
What else can be getting in the way of my successful connection to apigateway..amazonaws.com ?
I had a similar problem to this with AWS Secrets manager that was solved by using a VPC endpoint. I cannot find a way to configure a VPC endpoint to sequester access to APIGW api in the same way, however. Google fails me because it thinks I'm asking a different question.
Anyone who might be able to throw ideas at this is immensely appreciated, thanks!
Upvotes: 0
Views: 1279
Answers (1)
Reputation: 339
I think I found my answer shortly after posting the q -
It seems when you allocate a Lambda function onto your VPC in a public subnet, it cannot access the internet even though it looks like it can via the IGW route.
When I changed the Lambda VPC config to use only private subnets (which instead of IGW, these private subnets happen to route traffic to internet via a NAT gateway), it now works.
Best explanation I can find is that if lambda is on public subnet which only has an IGW route from public subnets, the lambda still doesn't have an addressable IP to use the IGW. It works with the NAT, and my private subnet resources happen to be running internet outbound through a NAT which works.
Pretty obscure!
AWS docs which say to use only NAT for lambda https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
Upvotes: 0
Related Questions
- Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet?
- AWS lambda api gateway error "Malformed Lambda proxy response"
- Why do we need private subnet in VPC?
- Not able to access internet inside Default AWS VPC from Lambda
- AWS - Route from public API Gateway to in-VPC lambda
- AWS How add internet access to lambda after add default vpc
- AWS Lambda in VPC doesn't have internet access behind NAT
- AWS: Can I give a Lambda function inside a VPC access to a public Websockets API Gateway?
- Access to API Gateway from Lambda in VPC - Request times out