VPC 中的 AWS Lambda 在 NAT 后面沒有互聯網訪問權限
[英]AWS Lambda in VPC doesn't have internet access behind NAT
問題描述
我的問題是,我在帶有 IGW 的 VPC 內的 NAT 后面運行的 Lambda 函數無法訪問 Internet 上的任何內容。
我想要做的是創建一個 VPC,它具有:
- 互聯網網關;
- 分別位於可用區
A和B2 個私有子網(PrivateA和PrivateB); - 可用區
A1 個公共子網 (PublicA) -
PublicA子網中的 NAT 網關 -
PrivateA和PrivateB有一個路由表,將0.0.0.0/0路由到 NAT 網關。 -
PublicA有一個路由表,可將0.0.0.0/0路由到 Internet 網關。 - 私有子網和公共子網都有允許所有入口和出口流量的訪問控制列表。
那部分是有效的。
接下來,我想在 VPC 中創建一個 Lambda 函數。 我將它放入PrivateA和PrivateB並為其分配一個允許所有出口和入口流量的安全組。
以下是重現該問題的獨立示例(整個模板)。 我已經閱讀了 Internet 上所有可能的文檔和文章,因此如果有人能指出我正確的方向,我將不勝感激。
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"Vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport": true,
"EnableDnsHostnames": true,
"InstanceTenancy": "default"
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"VpcGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": { "Ref": "Vpc" },
"InternetGatewayId": { "Ref": "InternetGateway" }
}
},
"ElasticIP":{
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"NatGateway": {
"Type": "AWS::EC2::NatGateway",
"DependsOn": [ "VpcGatewayAttachment" ],
"Properties": {
"AllocationId": { "Fn::GetAtt": [ "ElasticIP", "AllocationId" ] },
"SubnetId": { "Ref": "SubnetAPublic" }
}
},
"SubnetAPublic": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ] },
"CidrBlock": "10.0.0.0/19",
"MapPublicIpOnLaunch": true,
"VpcId": { "Ref": "Vpc" }
}
},
"SubnetAPrivate": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ] },
"CidrBlock": "10.0.64.0/19",
"VpcId": { "Ref": "Vpc" }
}
},
"SubnetBPrivate": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": { "Fn::Select" : [ "1", { "Fn::GetAZs" : "" } ] },
"CidrBlock": "10.0.96.0/19",
"VpcId": { "Ref": "Vpc" }
}
},
"RouteTablePublic": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": { "Ref": "Vpc" }
}
},
"RouteTablePrivate": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": { "Ref": "Vpc" }
}
},
"RouteTableAssociationAPublic": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": { "Ref": "SubnetAPublic" },
"RouteTableId": { "Ref": "RouteTablePublic" }
}
},
"RouteTableAssociationAPrivate": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": { "Ref": "SubnetAPrivate" },
"RouteTableId": { "Ref": "RouteTablePrivate" }
}
},
"RouteTableAssociationBPrivate": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": { "Ref": "SubnetBPrivate" },
"RouteTableId": { "Ref": "RouteTablePrivate" }
}
},
"RouteTablePrivateInternetRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": [ "VpcGatewayAttachment" ],
"Properties": {
"RouteTableId": { "Ref": "RouteTablePrivate" },
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": { "Ref": "NatGateway" }
}
},
"RouteTablePublicInternetRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": [ "VpcGatewayAttachment" ],
"Properties": {
"RouteTableId": { "Ref": "RouteTablePublic" },
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": { "Ref": "InternetGateway" }
}
},
"NetworkAclPublic": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": { "Ref": "Vpc" }
}
},
"NetworkAclPrivate": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": { "Ref": "Vpc" }
}
},
"SubnetNetworkAclAssociationAPublic": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties":{
"SubnetId": { "Ref": "SubnetAPublic" },
"NetworkAclId": { "Ref": "NetworkAclPublic" }
}
},
"SubnetNetworkAclAssociationAPrivate": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties":{
"SubnetId": { "Ref": "SubnetAPrivate" },
"NetworkAclId": { "Ref": "NetworkAclPrivate" }
}
},
"SubnetNetworkAclAssociationBPrivate": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": { "Ref": "SubnetBPrivate" },
"NetworkAclId": { "Ref": "NetworkAclPrivate" }
}
},
"NetworkAclEntryInPublicAllowAll": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "NetworkAclPublic" },
"RuleNumber": 99,
"Protocol": -1,
"RuleAction": "allow",
"Egress": false,
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryOutPublicAllowAll": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "NetworkAclPublic" },
"RuleNumber": 99,
"Protocol": -1,
"RuleAction": "allow",
"Egress": true,
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryInPrivateAllowVpc": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "NetworkAclPrivate" },
"RuleNumber": 99,
"Protocol": -1,
"RuleAction": "allow",
"Egress": false,
"CidrBlock": "0.0.0.0/16"
}
},
"NetworkAclEntryOutPrivateAllowVpc": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "NetworkAclPrivate" },
"RuleNumber": 99,
"Protocol": -1,
"RuleAction": "allow",
"Egress": true,
"CidrBlock": "0.0.0.0/0"
}
},
"LambdasSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Lambdas security group",
"SecurityGroupEgress": [
{ "CidrIp": "0.0.0.0/0", "IpProtocol": "-1" }
],
"SecurityGroupIngress": [
{ "CidrIp": "0.0.0.0/0", "IpProtocol": "-1" }
],
"VpcId": { "Ref": "Vpc" }
}
},
"LambdaFunctionExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "lambda.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
}
},
"LambdaFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.lambda_handler",
"Runtime": "python2.7",
"Role": {
"Fn::GetAtt": ["LambdaFunctionExecutionRole", "Arn"]
},
"Code": {
"ZipFile": {
"Fn::Join": ["\n", [
"import urllib2",
"def lambda_handler(event, context):",
"\tresponse = urllib2.urlopen('http://python.org/')",
"\treturn response.read()"
]]
}
},
"VpcConfig": {
"SecurityGroupIds": [
{ "Fn::GetAtt": [ "LambdasSecurityGroup", "GroupId"] }
],
"SubnetIds": [
{ "Ref": "SubnetAPrivate" },
{ "Ref": "SubnetBPrivate" }
]
}
}
}
}
}
1 個解決方案
解決方案1
5 已采納 2017-03-01 14:43:17
連接失敗的原因在於“NetworkAclEntryInPrivateAllowVpc”和“NetworkAclEntryOutPrivateAllowVpc”的 ACL 配置中。
如果您打開從“0.0.0.0/16”到“0.0.0.0/0”的 CIDR 塊,Lambda 可以訪問互聯網。
我對 NAT 不太了解,但似乎 NAT 流量被該 ACL 規則阻止。
盡管按照規則配置了 NAT、Internet 網關,AWS VPC 仍無法訪問 Internet
[英]AWS VPC can't access Internet despite configuring NAT, Internet Gateway according to rules
具有Internet網關的VPC中的AWS Lambda功能仍無法訪問Internet
[英]AWS Lambda Function in VPC With Internet Gateway Still Can't access Internet
如何允許私有子網VPC中的AWS Lambda資源在不使用NAT的情況下與Internet通信?
[英]How do I allow AWS lambda resources in a private subnet VPC to communicate with the internet without using a NAT?
AWS Lambda:如何為具有VPC訪問權限的lambda功能設置NAT網關
[英]AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
VPC 中的 AWS Lambda 有時無法訪問 Internet
盡管按照規則配置了 NAT、Internet 網關,AWS VPC 仍無法訪問 Internet
從NAT實例后面的AWS VPC私有子網訪問ftp
具有Internet網關的VPC中的AWS Lambda功能仍無法訪問Internet
具有互聯網網關和 NAT 的 AWS VPC
AWS Lambda - NAT 網關 Internet 訪問導致超時
如何允許私有子網VPC中的AWS Lambda資源在不使用NAT的情況下與Internet通信?
如何使用 nat 網關限制 VPC 中的 inte.net 訪問?
AWS Lambda:如何為具有VPC訪問權限的lambda功能設置NAT網關
AWS VPC Lambda 函數不斷失去互聯網訪問權限
相關標簽