How do you assign a VPC and security group to a Lambda in AWS CDK?
Question
I have an AWS CDK stack with a lambda function that needs to insert into an RDS database. When the stack is deployed, the lambda function cannot access the database and gives an error: getaddrinfo ENOTFOUND [RDS endpoint as defined by me]. After manually adding the VPC, subnets and Security group that the RDS database is in, the lambda function works correctly.
How do you define the VPC, Subnets and Security group in AWS CDK, preferably in TypeScript? In as far as there is documentation, I tried:
const vpc = ec2.Vpc.fromLookup(this, "VPC", { vpcName: "myVPC" });
const securityGroup = ec2.SecurityGroup.fromSecurityGroupId(
this,
"SG",
"sg-XXXXX"
);
const subnet1a = ec2.PrivateSubnet.fromSubnetAttributes(this, "SUBNET1A", {
subnetId: "eu-central-1a"
});
const myLambda = new lambda.Function(this, "myLambda", {
runtime: lambda.Runtime.NODEJS_12_X,
code: lambda.Code.fromAsset("lambda"),
handler: "myLambda.handler",
description: "myLambda",
environment: {
DB_HOST: "XXXX",
DB_USER: "XXXX",
DB_PASSWORD: "XXXX",
DB_NAME: "XXXX"
},
vpc: vpc,
vpcSubnets: [subnet1a],
securityGroups: [securityGroup]
});
When running cdk deploy This gives an AWS CDK error: "Not possible to place Lambda Functions in a Public subnet Subprocess exited with error 1"
Any help is welcome.
3 answers
solution1
5 2020-10-08 19:33:46
Here is a simple example, hope it helps:
//get VPC Info form AWS account, FYI we are not rebuilding we are referencing
const DefaultVpc = Vpc.fromVpcAttributes(this, 'vpcdev', {
vpcId:'vpc-d0e0000b0',
availabilityZones: core.Fn.getAzs(),
privateSubnetIds: 'subnet-00a0de00',
publicSubnetIds: 'subnet-00a0de00'
});
const YourService = new lambda.Function(this, 'LambdaName', {
code: lambda.Code.fromAsset("lambda"),
handler: 'handlers.your_handler',
role: lambdaExecutionRole,
securityGroup: lambdaSecurityGroup,
vpc: DefaultVpc,
runtime: lambda.Runtime.PYTHON_3_7,
timeout: Duration.minutes(2),
});
solution2
3 2020-03-17 23:53:26
If you want to deploy a Lambda function into a VPC then you should deploy it into a private subnet (one that has subnetType: SubnetType.PRIVATE ) or an isolated subnet (one that has subnetType: SubnetType.ISOLATED ).
Which you choose depends on whether or not the Lambda function needs outbound internet access. If it does, then use PRIVATE, otherwise use ISOLATED.
To reach an RDS instance in the same VPC, the Lambda function should be placed in a Security Group that has inbound access on the relevant port number to the RDS instance's security group.
solution3
0 2020-03-18 11:03:14
Your code to configure a lambda with vpc is fine. Your 'subnet1a' is a public subnet and It is recommended to not define any backend service in public subnets. AWS documentation for lambda and vpc configuration Another link for reference
Choose private or isolated subnets for lambda.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.