[英]AWS Lambda cannot connect to AWS services in VPC
我在 VPC 中有一个 lambda 可以访问 Amazon DocDB,但无法访问 VPC 中的任何资源。 我已经阅读了几天的官方指南仍然没有解决这个问题。
我根据官方指南检查了所有 vpc 配置,但没有运气。
创建 lambda 时分配 VPC。
谁能给我一些关于 lambda 配置的帮助? :)
def access_mongodb(event, context):
url = event.get('url')
if url:
db = event.get('db')
coll = event.get('collection')
query = event.get('query')
limit = int(event.get('limit'))
try:
with Mongo(url=url, db=db) as conn:
logger.info('Lambda Start query with Mongo')
for row in conn[coll].find(query).limit(limit):
logger.info(f'got row => {json.dumps(row, default=str)}')
except Exception as e:
logger.error(f'Got exception {e}')
else:
logger.info('Lambda End with out Mongo')
错误:
Got exception No servers found yet, Timeout: 2.0s, Topology Description: <TopologyDescription id: 62b5186720247fb7d69a0765, topology_type: Single, servers: [<ServerDescription ('docdb-test.xxxx-southeast-1.docdb.amazonaws.com', 27017) server_type: Unknown, rtt: None>]>
配置:
aws lambda get-function-configuration --function-name hello_py3
{
"FunctionName": "hello_py3",
"FunctionArn": "arn:aws:lambda:ap-southeast-1:592017647781:function:hello_py3",
"Runtime": "python3.9",
"Role": "arn:aws:iam::592017647781:role/service-role/hello_py3-role-xh39m23g",
"Handler": "lambda_function.lambda_handler",
"CodeSize": 5701329,
"Description": "",
"Timeout": 10,
"MemorySize": 128,
"LastModified": "2022-06-24T01:26:48.000+0000",
"CodeSha256": "VLwda8fP2DM62/y4Ouy9/U3KpzvfSRWoH7ocCwl1G6g=",
"Version": "$LATEST",
"VpcConfig": {
"SubnetIds": [
"subnet-08dacd9b6970624aa",
"subnet-09f80e8227735f6cf",
"subnet-028392620db2f9753"
],
"SecurityGroupIds": [
"sg-0002ee69773ca6f9d"
],
"VpcId": "vpc-0eee2636f691ad96b"
},
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "55af10eb-f777-4ba9-aea5-05a010ce7637",
"State": "Active",
"LastUpdateStatus": "Successful",
"PackageType": "Zip",
"Architectures": [
"x86_64"
],
"EphemeralStorage": {
"Size": 512
}
}
aws iam list-attached-role-policies --role-name hello_py3-role-xh39m23g
{
"AttachedPolicies": [
{
"PolicyName": "AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503",
"PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503"
},
{
"PolicyName": "AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce",
"PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce"
}
]
}
aws ec2 describe-vpcs --vpc-ids vpc-0eee2636f691ad96b
{
"Vpcs": [
{
"CidrBlock": "172.31.0.0/16",
"DhcpOptionsId": "dopt-0b9edd5b6deafa0db",
"State": "available",
"VpcId": "vpc-0eee2636f691ad96b",
"OwnerId": "592017647781",
"InstanceTenancy": "default",
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0200675b36f061104",
"CidrBlock": "172.31.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": true
}
]
}
aws ec2 describe-security-groups --group-ids sg-0002ee69773ca6f9d
{
"SecurityGroups": [
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"FromPort": 80,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 80,
"UserIdGroupPairs": []
},
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-0047473f289f0ffd3",
"UserId": "592017647781"
},
{
"GroupId": "sg-031e0901b061eb92d",
"UserId": "592017647781"
},
{
"GroupId": "sg-03f39f48c7887e46b",
"UserId": "592017647781"
},
{
"GroupId": "sg-07d8dbe45e3e81e44",
"UserId": "592017647781"
}
]
}
],
"OwnerId": "592017647781",
"GroupId": "sg-0002ee69773ca6f9d",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0eee2636f691ad96b"
}
]
}
更新:我终于通过应用ReachabilityAnalyzer弄清楚了,事实证明这是我混淆配置项的错。 这是一个非常有用的工具,有同样问题的人可以尝试使用这个工具来帮助自己。
感谢约翰的帮助。
您似乎为 AWS Lambda 函数和 DocDB 数据库使用了一个安全组。 我认为您的安全组缺少出站权限,这些权限限制了来自 Lambda 函数的流量。
典型的安全设置是:
Lambda-SG
) 上的安全组,允许所有出站访问DB-SG
) 上的安全组,允许从端口 27017 上的Lambda-SG
进行入站访问您能否检查从 lambda 子网到 documentdb 子网的连接以及 sg 和 nacl,以确认 lambda 可以使用端口 27017 连接到 documentdb。
谢谢, Chinmoy Layek
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.