Lambda Function 中的连接超时错误

Question

I am trying to SSH all the ec2 instances in AWS account through lambda function.

c.connect( hostname = each_in.private_ip_address, username = 'pcs_user', pkey = k )

But I'm getting an error like this. I have used AWSLambdaVPCAccessExecutionRole to IAM role.

Response:
{
  "errorMessage": "[Errno 110] Connection timed out",
  "errorType": "TimeoutError",
  "stackTrace": [
    "  File \"/var/task/lambda_function.py\", line 30, in lambda_handler\n    c.connect( hostname = each_in.private_ip_address, username = 'pcs_us', pkey = k )\n",
    "  File \"/opt/python/paramiko/client.py\", line 349, in connect\n    retry_on_signal(lambda: sock.connect(addr))\n",
    "  File \"/opt/python/paramiko/util.py\", line 283, in retry_on_signal\n    return function()\n",
    "  File \"/opt/python/paramiko/client.py\", line 349, in <lambda>\n    retry_on_signal(lambda: sock.connect(addr))\n"
  ]
}

Answer 1

This looks like the Lambda is unable to connect to your EC2 instances due to a security group rule blocking access.

If you are trying to connect to EC2 instances in your account you should add your Lambda to your VPC by attaching it via VPC configuration, it should be added into private subnets.

Once your Lambdas are added to your VPC, whitelist in your security group of the instances allowing the IP range(s) of the subnet(s) in which your Lambda resides.

By doing this you are stopping any access from traversing the public internet. Ensure your Lambda connects to any VPCs via their private IP address. For any instances outside your VPC you will need to use peering either via Transit Gateway or a peering connection .

If you cannot have your Lambda in a VPC then you will need to maintain a whitelist in the security group of each instance to whitelist the Lambda public range from the ip-ranges.json file. This must be for the range of the Lambda service in the region it has been deployed to.