VPC上的AWS Lambda Ruby-Seahorse :: Client :: NetworkingError

Question

將我的Ruby Lambda函數添加到VPC並附加了相關的SecurityGroups之后，我在從aws SSM參數存儲中檢索配置信息的SSM憑證檢索中遇到問題，並且在超時后遇到了這個奇怪的網絡錯誤。

嘗試通過ssm.get_parameters_by_path檢索SSM憑證時會發生這種情況，但是跟蹤感覺在其他任何AWS調用上都會發生這種情況。

{
  "errorMessage": "execution expired",
  "errorType": "Function<Seahorse::Client::NetworkingError>",
  "stackTrace": [
    "/var/lang/lib/ruby/2.5.0/net/http.rb:937:in `initialize'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:937:in `open'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:937:in `block in connect'",
    "/var/lang/lib/ruby/2.5.0/timeout.rb:103:in `timeout'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:935:in `connect'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:920:in `do_start'",
    "/var/lang/lib/ruby/2.5.0/net/http.rb:915:in `start'",
    "/var/lang/lib/ruby/2.5.0/delegate.rb:83:in `method_missing'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/connection_pool.rb:297:in `start_session'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/connection_pool.rb:96:in `session_for'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/handler.rb:121:in `session'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/handler.rb:73:in `transmit'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/net_http/handler.rb:47:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/content_length.rb:12:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/json/error_handler.rb:8:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/signature_v4.rb:66:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:10:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:171:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:202:in `retry_request'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:185:in `retry_if_possible'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:173:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:202:in `retry_request'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:185:in `retry_if_possible'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:173:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:202:in `retry_request'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:185:in `retry_if_possible'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/retry_errors.rb:173:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/json/handler.rb:11:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/user_agent.rb:13:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/endpoint_pattern.rb:28:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/endpoint_discovery.rb:78:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/endpoint.rb:45:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/param_validator.rb:24:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/raise_response_errors.rb:14:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/idempotency_token.rb:17:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/param_converter.rb:24:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/response_paging.rb:10:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/response_target.rb:23:in `call'",
    "/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/request.rb:70:in `send_request'",
    "/var/runtime/gems/aws-sdk-ssm-1.34.0/lib/aws-sdk-ssm/client.rb:4495:in `get_parameters_by_path'",

如果我從VPC刪除了該功能，則一切運行正常。 什么地方出了錯 ？ （請注意，我已經將VPC權限添加到了我的lambda角色以及SSM訪問中）

我的SSM客戶端通過這種方式初始化

def ssm
  @ssm ||= Aws::SSM::Client.new
end

Answer 1

編輯 ：我誤解了OP的問題，因此我進行了相應的編輯，試圖解釋為什么它可能會失敗。

當您的Lambda需要從VPC內訪問其他AWS服務時，您的功能將需要訪問VPC和Internet。 這可以通過同時連接公共子網和私有子網來實現。 公共子網是連接了Internet網關的子網，因此可以訪問公共互聯網，而私有子網是通過NAT網關（僅在AWS VPC內部可見）訪問的子網。

另外，請記住，安全組必須允許從0.0.0.0/0開始的入站TCP連接（或僅將要允許的主機列入白名單）。

如果可以，請盡量避免將Lambda函數放在VPC內，因為它會大大增加冷啟動時間（有時會增加10秒的請求時間，否則，大多數Lambda函數會超時）配置正確）

希望這可以幫助！

編輯2 ：我將嘗試引導您通過帶有兩個子網（公共和私有）的向導創建新的VPC，允許SG上的入站規則，最后將SN和SG附加到Lambda函數

請事先創建一個彈性IP

通過控制台，單擊VPC，然后單擊啟動VPC向導

選擇具有公共和私有子網的VPC

保留默認配置並添加剛剛創建的彈性IP

創建VPC后，您現在應該擁有一個公共子網和一個私有子網

默認情況下，您的SG將已經接受所有流量

最后，轉到Lambda函數，然后在VPC部分下，添加您的子網和安全組。

瞧 ，你的LAMBDA現在應該能夠訪問Internet（或其他AWS服務）