AWS Lambda 无法连接到 VPC 中的 AWS 服务

Question

我在 VPC 中有一个 lambda 可以访问 Amazon DocDB，但无法访问 VPC 中的任何资源。 我已经阅读了几天的官方指南仍然没有解决这个问题。

我根据官方指南检查了所有 vpc 配置，但没有运气。

创建 lambda 时分配 VPC。

谁能给我一些关于 lambda 配置的帮助？ :)

def access_mongodb(event, context):
    url = event.get('url')

    if url:
        db = event.get('db')
        coll = event.get('collection')
        query = event.get('query')
        limit = int(event.get('limit'))

        try:
            with Mongo(url=url, db=db) as conn:
                logger.info('Lambda Start query with Mongo')
                for row in conn[coll].find(query).limit(limit):
                    logger.info(f'got row => {json.dumps(row, default=str)}')
        except Exception as e:
            logger.error(f'Got exception {e}')

    else:
        logger.info('Lambda End with out Mongo')

错误：

Got exception No servers found yet, Timeout: 2.0s, Topology Description: <TopologyDescription id: 62b5186720247fb7d69a0765, topology_type: Single, servers: [<ServerDescription ('docdb-test.xxxx-southeast-1.docdb.amazonaws.com', 27017) server_type: Unknown, rtt: None>]>

配置：

aws lambda get-function-configuration --function-name hello_py3

{
    "FunctionName": "hello_py3",
    "FunctionArn": "arn:aws:lambda:ap-southeast-1:592017647781:function:hello_py3",
    "Runtime": "python3.9",
    "Role": "arn:aws:iam::592017647781:role/service-role/hello_py3-role-xh39m23g",
    "Handler": "lambda_function.lambda_handler",
    "CodeSize": 5701329,
    "Description": "",
    "Timeout": 10,
    "MemorySize": 128,
    "LastModified": "2022-06-24T01:26:48.000+0000",
    "CodeSha256": "VLwda8fP2DM62/y4Ouy9/U3KpzvfSRWoH7ocCwl1G6g=",
    "Version": "$LATEST",
    "VpcConfig": {
        "SubnetIds": [
            "subnet-08dacd9b6970624aa",
            "subnet-09f80e8227735f6cf",
            "subnet-028392620db2f9753"
        ],
        "SecurityGroupIds": [
            "sg-0002ee69773ca6f9d"
        ],
        "VpcId": "vpc-0eee2636f691ad96b"
    },
    "TracingConfig": {
        "Mode": "PassThrough"
    },
    "RevisionId": "55af10eb-f777-4ba9-aea5-05a010ce7637",
    "State": "Active",
    "LastUpdateStatus": "Successful",
    "PackageType": "Zip",
    "Architectures": [
        "x86_64"
    ],
    "EphemeralStorage": {
        "Size": 512
    }
}

aws iam list-attached-role-policies --role-name hello_py3-role-xh39m23g
{
    "AttachedPolicies": [
        {
            "PolicyName": "AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503",
            "PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503"
        },
        {
            "PolicyName": "AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce",
            "PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce"
        }
    ]
}

aws ec2 describe-vpcs --vpc-ids vpc-0eee2636f691ad96b

{
    "Vpcs": [
        {
            "CidrBlock": "172.31.0.0/16",
            "DhcpOptionsId": "dopt-0b9edd5b6deafa0db",
            "State": "available",
            "VpcId": "vpc-0eee2636f691ad96b",
            "OwnerId": "592017647781",
            "InstanceTenancy": "default",
            "CidrBlockAssociationSet": [
                {
                    "AssociationId": "vpc-cidr-assoc-0200675b36f061104",
                    "CidrBlock": "172.31.0.0/16",
                    "CidrBlockState": {
                        "State": "associated"
                    }
                }
            ],
            "IsDefault": true
        }
    ]
}

aws ec2 describe-security-groups --group-ids sg-0002ee69773ca6f9d
{
    "SecurityGroups": [
        {
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [
                {
                    "FromPort": 80,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 80,
                    "UserIdGroupPairs": []
                },
                {
                    "IpProtocol": "-1",
                    "IpRanges": [],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": [
                        {
                            "GroupId": "sg-0047473f289f0ffd3",
                            "UserId": "592017647781"
                        },
                        {
                            "GroupId": "sg-031e0901b061eb92d",
                            "UserId": "592017647781"
                        },
                        {
                            "GroupId": "sg-03f39f48c7887e46b",
                            "UserId": "592017647781"
                        },
                        {
                            "GroupId": "sg-07d8dbe45e3e81e44",
                            "UserId": "592017647781"
                        }
                    ]
                }
            ],
            "OwnerId": "592017647781",
            "GroupId": "sg-0002ee69773ca6f9d",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "VpcId": "vpc-0eee2636f691ad96b"
        }
    ]
}

---

更新：我终于通过应用ReachabilityAnalyzer弄清楚了，事实证明这是我混淆配置项的错。 这是一个非常有用的工具，有同样问题的人可以尝试使用这个工具来帮助自己。

感谢约翰的帮助。

Answer 1

您似乎为 AWS Lambda 函数和 DocDB 数据库使用了一个安全组。 我认为您的安全组缺少出站权限，这些权限限制了来自 Lambda 函数的流量。

典型的安全设置是：

• AWS Lambda 函数 ( Lambda-SG ) 上的安全组，允许所有出站访问
• DocDB ( DB-SG ) 上的安全组，允许从端口 27017 上的Lambda-SG进行入站访问

Answer 2

您能否检查从 lambda 子网到 documentdb 子网的连接以及 sg 和 nacl，以确认 lambda 可以使用端口 27017 连接到 documentdb。

谢谢， Chinmoy Layek