AWS lambda功能无法访问互联网
[英]AWS lambda function can't reach the internet
问题描述
I am running a lambda function that I would like to access both a private database server and the internet. 
我正在运行一个lambda函数,我想访问私有数据库服务器和Internet。 I can reach the database just fine, but I am not able to reach the internet. 我可以很好地访问数据库,但我无法访问互联网。
The setup: 设置:
VPC (10.0.0.0/16)
Public-Subnet (10.0.0.0/24)
NAT-Security-Group (see security groups below)
NAT-Server (AMI NAT instance)
Private-Subnet-1 (10.0.1.0/24) & Private-Subnet-2 (10.0.2.0/24)
DB-Security-Group (see security groups below)
DB-Server (RDS PostgreSQL instance)
Lambda-Security-Group (see security groups below)
Lambda-Function
The security groups are: 安全组是:
NAT-Security-Group
Inbound:
HTTP & HTTPS from source: Lambda-Security-Group
SSH from 0.0.0.0/0
Outbound:
All traffic
DB-Security-Group
Inbound:
PostgreSQL from source: Lambda-Security-Group
Outbound:
All traffic
Lambda-Security-Group
Inbound:
HTTP & HTTPS from source: NAT-Security-Group
Outbound:
All traffic
The routing tables for the subnets are: 子网的路由表是:
Public-Subnet:
10.0.0.0/16 local
0.0.0.0/0 Internet-Gateway
Private-Subnet-1 & Private-Subnet-2
10.0.0.0/16 local
0.0.0.0/0 NAT-Server
I'm at a loss here. 我在这里不知所措。 Why can't the lambda function reach the internet (connection timeout errors)? 为什么lambda函数不能到达互联网(连接超时错误)?
3 个解决方案
解决方案1
3 2017-12-11 02:25:19
You need to create a NAT Gateway in a public subnet and route the egress traffic from the subnet where the Lambda is placed thorough the NAT Gateway. 您需要在公有子网中创建NAT网关,并通过NAT网关路由来自放置Lambda的子网的出口流量。
To do this setup NAT Gateway as the Default Gateway in the routing table which is attached to the subnet that is Lambda placed on. 要执行此操作,请将NAT网关设置为路由表中的默认网关,该网关连接到放置Lambda的子网。
For more details refer Internet Access for Lambda Functions in documentation. 有关更多详细信息,请参阅文档中的Lambda函数的Internet访问 。
解决方案2
1 2017-12-11 03:56:04
lambda in public subnet 公共子网中的lambda
Since you just need to communicate DB from lambda, place the lambda into public subnet and you don't need to have NAT gateway installed. 由于您只需要从lambda传递数据库,因此将lambda放入公有子网并且您不需要安装NAT网关。 Anyway there wont be a direct access to the lambda as ELB does and has to be attached to API gateway in case of any access through API endpoint. 无论如何,不会像ELB那样直接访问lambda,并且在通过API端点进行任何访问时必须连接到API网关。
lambda in private subnet 私有子网中的lambda
- Add NAT route out into the route table associated with private subnet for all address 0.0.0.0/0 将NAT路由添加到与所有地址0.0.0.0/0的私有子网关联的路由表中
- Add route out to IGW for all 0.0.0.0/0 into the route table associated with public subnet. 将所有0.0.0.0/0的IGW路由添加到与公有子网关联的路由表中。
- Place NAT in public subnet 将NAT放在公共子网中
This should solve the problem of accessing internet from lambda. 这应该解决从lambda访问互联网的问题。 But is only much useful in case you are going with the DB installed in EC2 for future patch mgmt or any kind of other access from bastion host. 但是,如果您使用EC2中安装的数据库以用于将来的补丁管理或来自堡垒主机的任何其他类型的访问,这只是非常有用。 If going with RDS there is no point putting lambda in private subnet. 如果使用RDS,就没有必要将lambda放在私有子网中。
解决方案3
1 已采纳 2017-12-11 13:48:59
The issue was with the inbound/outbound rules for the security groups. 问题在于安全组的入站/出站规则。 With the configuration above, I updated the security groups to match: 通过上面的配置,我更新了安全组以匹配:
NAT-Security-Group
Inbound:
HTTP & HTTPS from source: Lambda-Security-Group
SSH from source: 0.0.0.0/0
Outbound:
HTTP & HTTPS to destination: 0.0.0.0/0
DB-Security-Group
Inbound:
PostgreSQL from source: Lambda-Security-Group
Outbound:
None
Lambda-Security-Group
Inbound:
None
Outbound:
HTTP & HTTP to destination: NAT-Security-Group
PostgreSQL to source: DB-Security-Group
The Lambda function now has internet connectivity. Lambda功能现在具有互联网连接功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.