堆栈内存溢出
  简体   繁体   English

AWS:我可以让一个 VPC 内的 Lambda function 访问公共 Websockets API 网关吗?

[英]AWS: Can I give a Lambda function inside a VPC access to a public Websockets API Gateway?

 原文  2019-10-09 14:08:59       amazon-web-services/ aws-lambda/ aws-api-gateway/ amazon-vpc

问题描述

I have a public API in API Gateway using Websockets protocol.我在使用 Websockets 协议的 API 网关中有一个公共 API。 I'm storing its connection IDs in a datastore inside my VPC, and trying to write a Lambda to read those connection IDs and then send data to each of them - using await apigwManagementApi.postToConnection({ ConnectionId: connectionId, Data: postData }).promise();我将其连接 ID 存储在我的 VPC 内的数据存储中,并尝试编写 Lambda 来读取这些连接 ID,然后将数据发送给它们中的每一个 - 使用await apigwManagementApi.postToConnection({ ConnectionId: connectionId, Data: postData }).promise(); . . This times out - the Lambda is unable to send messages to the API gateway.此超时 - Lambda 无法将消息发送到 API 网关。 So I tried adding a Gateway to execute-api : aws ec2 create-vpc-endpoint --vpc-id vpc-xyz --vpc-endpoint-type Interface --service-name com.amazonaws.eu-west-1.execute-api --subnet-ids subnet-xyz --security-group-id sg-xyz .所以我尝试将网关添加到execute-apiaws ec2 create-vpc-endpoint --vpc-id vpc-xyz --vpc-endpoint-type Interface --service-name com.amazonaws.eu-west-1.execute-api --subnet-ids subnet-xyz --security-group-id sg-xyz Now I get ForbiddenException: Forbidden thrown by my calls to apigwManagementApi.现在我得到了ForbiddenException: Forbidden由我对 apigwManagementApi 的调用引发的。

I've tried looking at the docs for the execute-api Gateway, but the doc for Interfaces https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html points to https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html and leads to creating private APIs - I don't want this, I need my API to be public. I've tried looking at the docs for the execute-api Gateway, but the doc for Interfaces https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html points to https://docs .aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html并导致创建私有 API - 我不想要这个,我需要我的 API 公开。

I think I might be able to use a resource policy usually https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html But this is a websocket API so these instructions don't work as they don't have a resource policies option. I think I might be able to use a resource policy usually https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html But this is a websocket API so these instructions don'无法工作,因为他们没有资源策略选项。

2 个解决方案

解决方案1
 1 已采纳  2019-10-25 13:30:50

I asked about this on the AWS Slack and it's not possible to use resource policies and would add a lot of networking complexity: https://awsdevelopers.slack.com/archives/C6LDW0BC3/p1570618074008500我在 AWS Slack 上问过这个问题,它不可能使用资源策略并且会增加很多网络复杂性: https://awsdevelopers.slack.com/archives/C6LDW0BC3/p1570618074008500

From an AWS dev in that thread:来自该线程中的 AWS 开发人员:

hey there - when Lambda is VPC enabled, its subject to all routing rules of your VPC and Subnet.嘿,当 Lambda 启用 VPC 时,它受 VPC 和子网的所有路由规则的约束。

To hit any public resource, you will need a NAT GW, routing rules, and SG setting to allow communication.要访问任何公共资源,您将需要 NAT GW、路由规则和 SG 设置以允许通信。

Resource polices will not work.资源策略将不起作用。

解决方案2
 1  2020-01-06 09:42:48

I had the same problem - this document explains the reason for it ( https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/ ).我遇到了同样的问题 - 本文档解释了它的原因( https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/ )。

To fix it you need to add an edge-optimized custom domain name, which entails the following:要修复它,您需要添加一个边缘优化的自定义域名,这需要以下内容:

  • Add a certificate into AWS ACM (you'll need the cert, private key and provider root cert) into us-east-1 ACM manager (you have to add it to us-east-1 to see it in the edge-optimized cert list).将证书添加到 AWS ACM(您需要证书、私钥和提供商根证书)到us-east-1 ACM 管理器(您必须将其添加到 us-east-1 才能在边缘优化证书中看到它列表)。

  • In the API Gateway console go to Custom Domain Names and Create a new one.在 API 网关控制台 go 中自定义域名并新建一个。

  • Set your domain name, leave the type as edge-optimized and apply the cert that you just created设置您的域名,将类型保留为边缘优化并应用您刚刚创建的证书

  • Once the domain is set up (it takes around 40 minutes) you can add base path mappings to send traffic to your apis / stages.设置域后(大约需要 40 分钟),您可以添加基本路径映射以将流量发送到您的 api/stage。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我无法从 VPC 内部访问 AWS API 网关 - I can't access an AWS API Gateway from inside a VPC AWS - 从公共 API 网关路由到 VPC 内 lambda - AWS - Route from public API Gateway to in-VPC lambda AWS API Gateway 和 Lambda 的公共 IP 地址(无 VPC) - Public IP address for AWS API Gateway & Lambda (no VPC) 私有子网内的 lambda function 可以通过 vpc 端点访问 vpc 外部的 aws 服务吗? - can a lambda function inside a private subnet access aws services outside the vpc through vpc endpoints? 具有Internet网关的VPC中的AWS Lambda功能仍无法访问Internet - AWS Lambda Function in VPC With Internet Gateway Still Can't access Internet 为什么 VPC 中公共 su.net 内的 AWS lambda function 无法连接到 inte.net? - Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet? 如何拒绝对 AWS API 网关的公共访问? - How can I deny public access to an AWS API gateway? VPC下从Lambda访问Api网关 - Access Api Gateway from Lambda under VPC 限制对特定vpc的lambda或api网关的访问 - Limit access to lambda or api gateway to a specific vpc AWS Lambda:如何为具有VPC访问权限的lambda功能设置NAT网关 - AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM