[英]Access to API Gateway from Lambda in VPC - Request times out
ApiGatewayManager
我想使用ApiGatewayManager
响应客户端 Node.js 8
in combination with Typescript
我将Node.js 8
与Typescript
结合使用 I created a regional AWS API Gateway for Websockets and added a Lambda function for $connect
, $disconnect
and one for the action subscribeChannel
. 我创建了一个区域AWS API网关的WebSockets,并增加了一个lambda函数$connect
, $disconnect
以及一个用于操作subscribeChannel
。
I am able to connect and send messages to connected clients. 我能够连接并向连接的客户端发送消息。
I also created a VPC with 3 private subnets, all of them are located in eu-central-1
each one in a different Availability Zone (AZ). 我还创建了一个具有3个专用子网的VPC,所有这些子网均位于eu-central-1
每个子网均位于不同的可用区(AZ)中。
Lambda Functions loose their access to the public internet when you add them to a VPC, therefore one approach is adding another public subnet and adding a NAT Gateway to it. 当您将Lambda函数添加到VPC时,Lambda函数会释放其对公共Internet的访问权限,因此一种方法是添加另一个公共子网并向其中添加NAT网关。
Now I am changing the routing table of the private subnet to delegate 0.0.0.0/0
to the NAT and in the routing table of the public subnet it routes 0.0.0.0/0
to a Internet Gateway. 现在,我正在更改专用子网的路由表,以将0.0.0.0/0
委派给NAT,在公用子网的路由表中,它将0.0.0.0/0
路由到Internet网关。
This seems to work to get access to the public internet, eg I am able to request https://google.com
but the ApiGatewayManagement times out as if cannot resolve the AWS service. 这似乎可以访问公共互联网,例如,我可以请求https://google.com
但ApiGatewayManagement超时,好像无法解析AWS服务。
Then I looked into VPC Endpoints, as they are designed to make public AWS Services available in private subnets, without routing through the internet. 然后,我研究了VPC端点,因为它们旨在使公用AWS服务可在专用子网中使用,而无需通过Internet进行路由。 I am able to set it up and receive the private DNS urls. 我能够进行设置并接收私有DNS网址。 But here I am stuck, I do not know how to use it in my setup/code. 但是在这里我被困住了,我不知道如何在我的设置/代码中使用它。
I am managing the whole project using the serverless framework and Cloud Formation resources. 我正在使用无服务器框架和云形成资源来管理整个项目。
If the action handler for subscribeChannel
is associated with the VPC then the request to XXXXXXXX.execute-api.eu-central-1.amazonaws.com/develop
times out, as it cannot reach the public internet. 如果操作处理程序subscribeChannel
与VPC然后关联请求XXXXXXXX.execute-api.eu-central-1.amazonaws.com/develop
超时,因为它不能达到公共互联网。
Is a NAT Gateway the correct approach or do I need to use a VPC Endpoint for execute-api? NAT网关是正确的方法还是我需要将VPC端点用于execute-api? How do I correctly configure the VPC to use this private DNS? 如何正确配置VPC以使用此私有DNS?
async function channelHandler(event, context) {
return new aws_sdk_1.ApiGatewayManagementApi({
apiVersion: "2018-11-29",
endpoint: event.requestContext.domainName + "/" + event.requestContext.stage,
})
.postToConnection({
ConnectionId: event.requestContext.connectionId,
Data: "Hello, world!",
}).promise()
.then(() => {
return {
statusCode: 200,
body: "Sent message!",
};
})
.catch((error) => {
return {
statusCode: 500,
body: JSON.stringify(error),
};
});
}
I did recreated the full project from my configuration and "magically" started working. 我确实从我的配置中重新创建了整个项目,并且“神奇地”开始工作。 Therefore I can only make an assumption for what was going on: 因此,我只能假设发生了什么:
Every Availability Zone has a private and a public subnet. 每个可用区都有一个专用和公用子网。 According to the AWS Documentation for NAT Gateways it is necessary to create a NAT Gateway in each of them, but I only had one NAT Gateway in Zone A configured. 根据适用于NAT网关的AWS文档,有必要在每个网关中创建一个NAT网关,但是我在A区中仅配置了一个NAT网关。
I changed the configuration of my Lambda functions to be placed in only one AZ (I do not want to have full redundancy until the project is in production) and now the NAT Gateway is in the same one. 我将Lambda函数的配置更改为仅放置在一个可用区中(在项目投入生产之前,我不希望具有完全的冗余),现在NAT网关在同一可用区中。
Simple graph: 简单图:
Client --[AWS]--> Lambda --[Private Subnet]--> NAT --[Public Subnet]--> API Gateway
I am still wondering if it is possible to reach API Gateway using a VPC Endpoint instead of the API Gateway, but for now I will stay with this configuration. 我仍然想知道是否可以使用VPC端点而不是API网关访问API网关,但是现在我将继续使用此配置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.