AWS lambda function can't reach the internet

Question

I am running a lambda function that I would like to access both a private database server and the internet. I can reach the database just fine, but I am not able to reach the internet.

The setup:

VPC (10.0.0.0/16)
   Public-Subnet (10.0.0.0/24)
      NAT-Security-Group (see security groups below)
         NAT-Server (AMI NAT instance)

   Private-Subnet-1 (10.0.1.0/24) & Private-Subnet-2 (10.0.2.0/24)
      DB-Security-Group (see security groups below)
         DB-Server (RDS PostgreSQL instance)

      Lambda-Security-Group (see security groups below)
         Lambda-Function

The security groups are:

NAT-Security-Group
   Inbound:
      HTTP & HTTPS from source: Lambda-Security-Group
      SSH from 0.0.0.0/0
   Outbound:
      All traffic

DB-Security-Group
   Inbound:
      PostgreSQL from source: Lambda-Security-Group
   Outbound:
      All traffic

Lambda-Security-Group
   Inbound:
      HTTP & HTTPS from source: NAT-Security-Group
   Outbound:
      All traffic

The routing tables for the subnets are:

Public-Subnet:
   10.0.0.0/16 local
   0.0.0.0/0 Internet-Gateway

Private-Subnet-1 & Private-Subnet-2
   10.0.0.0/16 local
   0.0.0.0/0 NAT-Server

I'm at a loss here. Why can't the lambda function reach the internet (connection timeout errors)?

Answer 1

You need to create a NAT Gateway in a public subnet and route the egress traffic from the subnet where the Lambda is placed thorough the NAT Gateway.

To do this setup NAT Gateway as the Default Gateway in the routing table which is attached to the subnet that is Lambda placed on.

For more details refer Internet Access for Lambda Functions in documentation.

Answer 2

lambda in public subnet

Since you just need to communicate DB from lambda, place the lambda into public subnet and you don't need to have NAT gateway installed. Anyway there wont be a direct access to the lambda as ELB does and has to be attached to API gateway in case of any access through API endpoint.

lambda in private subnet

• Add NAT route out into the route table associated with private subnet for all address 0.0.0.0/0
• Add route out to IGW for all 0.0.0.0/0 into the route table associated with public subnet.
• Place NAT in public subnet

This should solve the problem of accessing internet from lambda. But is only much useful in case you are going with the DB installed in EC2 for future patch mgmt or any kind of other access from bastion host. If going with RDS there is no point putting lambda in private subnet.

Answer 3

The issue was with the inbound/outbound rules for the security groups. With the configuration above, I updated the security groups to match:

NAT-Security-Group
   Inbound:
      HTTP & HTTPS from source: Lambda-Security-Group
      SSH from source: 0.0.0.0/0
   Outbound:
      HTTP & HTTPS to destination: 0.0.0.0/0

DB-Security-Group
   Inbound:
      PostgreSQL from source: Lambda-Security-Group
   Outbound:
      None

Lambda-Security-Group
   Inbound:
      None
   Outbound:
      HTTP & HTTP to destination: NAT-Security-Group
      PostgreSQL to source: DB-Security-Group

The Lambda function now has internet connectivity.