AWS VPC Lambda Networking Issue

Question

So I have a very confusing issue that I don't know how to solve. My setup is API Gateway -> Lambda -> IoT Core. I setup the code and it works fine from my IDE. I deploy it to AWS, and my connection to AWS times out.

The Lambda is in a single su.net and the su.net does have a default route to an IGW. I did a test, and the Lambda function can resolve the IP of my IoT endpoint to a public IP (54.xxx). But the connect() method times out. My security group for the Lambda function is setup to allow all incoming / outgoing.

What am I missing? Why can't I get to IoT Core from inside a VPC with an IGW configured and seems to be working. Any direction would be greatly appreciated.

UPDATE

After playing around with many different things, I can't identify what exactly I had messed up with my configuration. But following the accepted answer I ended up with the following setup which appears to work for what I need.

• su.net-1 10.14.10.0/24 (auto-assign-public=false)
  • local route ( 10.14.0.0/16 ) and default route=nat-gateway
• su.net-2 10.14.20.0/24 (auto-assign-public=false)
  • local route ( 10.14.0.0/16 ) and default route=nat-gateway
• su.net-3 10.14.30.0/24 (auto-assign-public=false)
  • local route ( 10.14.0.0/16 ) and default route=nat-gateway
• su.net-4 10.14.40.0/24 (auto-assign-public=false)
  • local route ( 10.14.0.0/16 ) and default route=nat-gateway
• su.net-5 10.14.200.0/24 (auto-assign-public=true)
  • local route ( 10.14.0.0/16 ) and default route=igw
• nat-gateway
  • in su.net-5

I don't know if this is what I intended, but this is what I was looking for. A series of su.nets that are not publicly accessible, but has an inte.net connection for access to other AWS services. So my Lambda resources, ECS, etc can sit privately and access what they need.

Thank you everyone for the information.

Answer 1

You should not deploy the Lambda function to a public subnet (that's the subnet with the default route to the IGW). It won't work the way you want it to work. The Lambda function doesn't have, and cannot have, a public IP so cannot route to the internet via the IGW.

If the Lambda needs to be in VPC, then move it to a private subnet and make sure that the private subnet has a default route to a NAT (or NAT gateway) in a public subnet. Or deploy the Lambda function outside of VPC completely, if that's viable.

More information at:

• Why can't Lambda in public subnet reach the internet?
• Why do we need private subnet in a VPC?

Answer 2

When you say "I did a test, and the Lambda function can resolve the IP of my IoT endpoint to a public IP (54.xxx)" Do you mean DNS resolution, or you've checked this with a actual network traffic.

In either case, you can turn VPC Flow Logs for your VPC, and try again. The flow log will identify whether SGs or NACLs are blocking your traffic.

Remember also that Lambda's cannot exists in a public subnet, they have to reside in private subnets, and use NAT GW on public subnets to connect to the internet.

Answer 3

I encountered the same issue. Thankfully, AWS has automated this process and it's only a few clicks but sadly an extra $$$/month (about $30 to start).

You need to create a VPC group that has both public and private su.nets. For my case, I was accessing a RDS database to then build email templates and fire off these emails via SES.

What did not work: When I deployed a default VPC on my lambda function, the RDS would work, but the SES would not. The reason being is the SES API has no access to the inte.net via default VPCs, you need to setup a private su.net to allow for this.

VPC wizard can do this all for you with a few simple clicks, but you're looking at spending about $30/month (CAD) to setup a NAT gateway + any potential data processing charges per GB (read the pricing). For my case, firing a few email templates off it outweighed deploying another ec2 instance and gave me flexibility for scaling without too much on-the-fly configuration.

This link is a good place to get started. How do I give inte.net access to a Lambda function that's connected to an Amazon VPC?

Follow the VPC wizard hyperlink within that article, and you just need to go to the VPC console and create a VPC, should look something like this (below)

Once AWS works its magic, you need to assign the VPC to your Lambda function, assign the right permissions to your lambda function AND don't forget to configure your security group with the correct inbound rules. In my case I need to add a PostGres rule to access my RDS.

Hope this helps!