stackoom
  简体   繁体   中英

How can I connect an AWS lambda inside a VPC to connect to a cloudformation stack?

 原文  2022-08-15 14:07:11       amazon-web-services/ aws-lambda/ amazon-cloudformation

Question

current situation:

I'm developing an AWS lambda that would launch an EC2 instance through a cloud formation stack. I've deployed it inside a VPC, and thus had created endpoints to give it access to ressources such as S3/DynamoDB. However I cannot find any endpoints for the cloud formation, and as a result my function gets stucked at:
Starting new HTTPS connection (1): cloudformation.ap-south-1.amazonaws.com:443

update 1

Here is the snippet of code I'm using to connect to cloudformation:

self.cfn = session.resource('cloudformation')

 stackdata = self.cfn.create_stack(
        StackName="STACK-{}".format(instance_name),
        DisableRollback=True,
        TemplateURL=constants.TEMPLATE_TYPE[instance_type],
        Parameters=params,
        Capabilities=['CAPABILITY_IAM', 'CAPABILITY_AUTO_EXPAND','CAPABILITY_NAMED_IAM']  
        )

Please be noted that my code works just fine in a none-VPC setup (if I deploy my lambda outside of a VPC)

Could anyone help me try to figure out what I'm missing here?

1 answers

solution1
 0  2022-08-15 15:07:42

Lambda function that is deployed to the VPC doesn't have access to the internet. That means that it's not able to access any of the AWS services endpoints unless you do one of two things:

  1. create a VPC endpoint for that service
  2. Add NAT Gateway so Lambda function can use it to access internet

You add NAT gateway to the public subnet. After that, you need to edit route tables for private subnets to point to the NAT gateway. When you add a Lambda function to the VPC, you choose in which subnets it can be deployed. It's necessary to associate all of those subnets with the NAT gateway, so you're sure that the Lambda function will always have access to the NAT gateway.

If your Lambda function really needs to be in VPC (it needs access to some other resources inside of VPC), this is ok, but if it's not really necessary, I'd suggest you just move it outside of VPC (NAT gateway is $35/month + traffic).

You can see the details here as well: AWS Knowledgebase

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to connect AWS Lambda and RDS in VPC How to properly connect AWS Lambda to RDS in VPC? AWS Lambda unable to connect (intermittently) to MongoDB inside an AWS VPC How can I connect to the AWS IAM API in a private VPC? Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet? AWS Lambda cannot connect to AWS services in VPC How to connect AWS Lambda function inside a VPC to public resources like DynamoDB? How can I connect to an existing RDS database using AWS CloudFormation? AWS Lambda potential alternatives to connect to RDS in VPC Lambda in VPC cannot connect to AWS services
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM