I am running a lambda function that I would like to access both a private database server and the internet. I can reach the database just fine, but I am not able to reach the internet.
The setup:
VPC (10.0.0.0/16)
Public-Subnet (10.0.0.0/24)
NAT-Security-Group (see security groups below)
NAT-Server (AMI NAT instance)
Private-Subnet-1 (10.0.1.0/24) & Private-Subnet-2 (10.0.2.0/24)
DB-Security-Group (see security groups below)
DB-Server (RDS PostgreSQL instance)
Lambda-Security-Group (see security groups below)
Lambda-Function
The security groups are:
NAT-Security-Group
Inbound:
HTTP & HTTPS from source: Lambda-Security-Group
SSH from 0.0.0.0/0
Outbound:
All traffic
DB-Security-Group
Inbound:
PostgreSQL from source: Lambda-Security-Group
Outbound:
All traffic
Lambda-Security-Group
Inbound:
HTTP & HTTPS from source: NAT-Security-Group
Outbound:
All traffic
The routing tables for the subnets are:
Public-Subnet:
10.0.0.0/16 local
0.0.0.0/0 Internet-Gateway
Private-Subnet-1 & Private-Subnet-2
10.0.0.0/16 local
0.0.0.0/0 NAT-Server
I'm at a loss here. Why can't the lambda function reach the internet (connection timeout errors)?
You need to create a NAT Gateway in a public subnet and route the egress traffic from the subnet where the Lambda is placed thorough the NAT Gateway.
To do this setup NAT Gateway as the Default Gateway in the routing table which is attached to the subnet that is Lambda placed on.
For more details refer Internet Access for Lambda Functions in documentation.
Since you just need to communicate DB from lambda, place the lambda into public subnet and you don't need to have NAT gateway installed. Anyway there wont be a direct access to the lambda as ELB does and has to be attached to API gateway in case of any access through API endpoint.
This should solve the problem of accessing internet from lambda. But is only much useful in case you are going with the DB installed in EC2 for future patch mgmt or any kind of other access from bastion host. If going with RDS there is no point putting lambda in private subnet.
The issue was with the inbound/outbound rules for the security groups. With the configuration above, I updated the security groups to match:
NAT-Security-Group
Inbound:
HTTP & HTTPS from source: Lambda-Security-Group
SSH from source: 0.0.0.0/0
Outbound:
HTTP & HTTPS to destination: 0.0.0.0/0
DB-Security-Group
Inbound:
PostgreSQL from source: Lambda-Security-Group
Outbound:
None
Lambda-Security-Group
Inbound:
None
Outbound:
HTTP & HTTP to destination: NAT-Security-Group
PostgreSQL to source: DB-Security-Group
The Lambda function now has internet connectivity.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.