[英]How can I connect an AWS lambda inside a VPC to connect to a cloudformation stack?
I'm developing an AWS lambda that would launch an EC2 instance through a cloud formation stack.我正在开发一个 AWS lambda,它将通过云形成堆栈启动 EC2 实例。 I've deployed it inside a VPC, and thus had created endpoints to give it access to ressources such as S3/DynamoDB.
我已将其部署在 VPC 中,因此创建了端点以使其能够访问 S3/DynamoDB 等资源。 However I cannot find any endpoints for the cloud formation, and as a result my function gets stucked at:
但是我找不到云形成的任何端点,因此我的 function 卡在:
Starting new HTTPS connection (1): cloudformation.ap-south-1.amazonaws.com:443
Here is the snippet of code I'm using to connect to cloudformation:这是我用来连接到 cloudformation 的代码片段:
self.cfn = session.resource('cloudformation')
stackdata = self.cfn.create_stack(
StackName="STACK-{}".format(instance_name),
DisableRollback=True,
TemplateURL=constants.TEMPLATE_TYPE[instance_type],
Parameters=params,
Capabilities=['CAPABILITY_IAM', 'CAPABILITY_AUTO_EXPAND','CAPABILITY_NAMED_IAM']
)
Please be noted that my code works just fine in a none-VPC setup (if I deploy my lambda outside of a VPC)请注意,我的代码在非 VPC 设置中运行良好(如果我将 lambda 部署在 VPC 之外)
Could anyone help me try to figure out what I'm missing here?谁能帮我弄清楚我在这里缺少什么?
Lambda function that is deployed to the VPC doesn't have access to the internet.部署到 VPC 的 Lambda function 无法访问 Internet。 That means that it's not able to access any of the AWS services endpoints unless you do one of two things:
这意味着它无法访问任何 AWS 服务端点,除非您执行以下两项操作之一:
You add NAT gateway to the public subnet.您将 NAT 网关添加到公共子网。 After that, you need to edit route tables for private subnets to point to the NAT gateway.
之后,您需要编辑私有子网的路由表以指向 NAT 网关。 When you add a Lambda function to the VPC, you choose in which subnets it can be deployed.
将 Lambda function 添加到 VPC 时,您可以选择可以在哪些子网中部署它。 It's necessary to associate all of those subnets with the NAT gateway, so you're sure that the Lambda function will always have access to the NAT gateway.
有必要将所有这些子网与 NAT 网关相关联,因此您可以确定 Lambda function 将始终可以访问 NAT 网关。
If your Lambda function really needs to be in VPC (it needs access to some other resources inside of VPC), this is ok, but if it's not really necessary, I'd suggest you just move it outside of VPC (NAT gateway is $35/month + traffic).如果您的 Lambda function 确实需要在 VPC 中(它需要访问 VPC 内的一些其他资源),这没关系,但如果不是真的需要,我建议您将其移出 VPC(NAT 网关为 35 美元) /月+流量)。
You can see the details here as well: AWS Knowledgebase您也可以在此处查看详细信息: AWS 知识库
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.