VPC中的AWS Lambda有时无法访问互联网 [英] AWS Lambda in VPC sometimes doesn't have internet access

问题描述

我有已部署到VPC的Lambda。

I have Lambda which was deployed to VPC.

此deploymens具有下一个配置：

This deploymens has next configs:

• VPC（192.168.0.0/16）


• 公共子网A（192.168.32.0/20）具有NAT网关，并且路由0.0.0.0/0到Internet网关


• 私有子网A（192.168.48.0/20）具有到NAT网关的路由0.0.0.0/0


• 私有子网B（192.168.64.0/20）

• VPC (192.168.0.0/16)
• Public Subnet A (192.168.32.0/20) has NAT Gateway and Route 0.0.0.0/0 to Internet Gateway
• Private Subnet A (192.168.48.0/20) has Route 0.0.0.0/0 to NAT Gateway
• Private Subnet B (192.168.64.0/20)

Lambda拥有自己的Securiy Group，并引用私有子网A和私有子网B

Lambda has own Securiy Group and references to "Private Subnet A" and "Private Subnet B"

我有一个奇怪的问题：有时Lambda无法访问Internet 。第三方服务正常运行。

I have strange problem: time to time Lambda doesn't have Internet Access. 3rd party service works normal.

还有一个奇怪的事情，就是Lambda获得了IP，例如127.0.0.1、169.254.76.13、169.254.79.1，而不是从子网（192.168.48.0 / 20和192.168.64.0/20）。

One more strange thing that Lambda gets IP's like 127.0.0.1, 169.254.76.13, 169.254.79.1 instead of IP's from Subnets (192.168.48.0/20 and 192.168.64.0/20).

错误：

Error: connect ETIMEDOUT x.x.x.x:443
at Object._errnoException (util.js:1022:11)
at _exceptionWithHostPort (util.js:1044:20)
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1198:14)

部署模式：

Deployment schema:

此处有完整的CloudFormation模板：

Here full CloudFormation template:

    ---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Base Infrastructure'
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
    - Label:
        default: 'VPC Parameters'
      Parameters:
      - VpcId
      - InternetGatewayId
Parameters:
  VpcId:
    Type: String
  InternetGatewayId:
    Type: String
Resources:
  SubnetAPublic:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select [0, !GetAZs '']
      CidrBlock: !Sub '192.168.32.0/20'
      MapPublicIpOnLaunch: true
      VpcId: !Sub '${VpcId}'
  SubnetAPrivate:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select [0, !GetAZs '']
      CidrBlock: !Sub '192.168.48.0/20'
      VpcId: !Sub '${VpcId}'
  SubnetBPrivate:
    Type: 'AWS::EC2::Subnet'
    Properties:
      AvailabilityZone: !Select [1, !GetAZs '']
      CidrBlock: !Sub '192.168.64.0/20'
      VpcId: !Sub '${VpcId}'
  RouteTablePublic:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Sub '${VpcId}'
  RouteTablePrivate:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Sub '${VpcId}'
  RouteTableBPrivate:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Sub '${VpcId}'
  RouteTableAssociationAPublic:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetAPublic
      RouteTableId: !Ref RouteTablePublic
  RouteTableAssociationAPrivate:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetAPrivate
      RouteTableId: !Ref RouteTablePrivate
  RouteTableAssociationBPrivate:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref SubnetBPrivate
      RouteTableId: !Ref RouteTableBPrivate
  EIP:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
  NatGateway:
    Type: 'AWS::EC2::NatGateway'
    Properties:
      AllocationId: !GetAtt 'EIP.AllocationId'
      SubnetId: !Ref SubnetAPublic
  RouteTablePublicInternetRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref RouteTablePrivate
      DestinationCidrBlock: '0.0.0.0/0'
      NatGatewayId: !Ref NatGateway
  RouteTablePublicInternetRoute2:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref RouteTablePublic
      DestinationCidrBlock: '0.0.0.0/0'
      GatewayId: !Sub '${InternetGatewayId}'
  ServerlessSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SecurityGroup for Serverless Functions
      VpcId: !Sub '${VpcId}'
  ServerlessSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref ServerlessSecurityGroup
      IpProtocol: -1
      SourceSecurityGroupId: !Ref ServerlessSecurityGroup

任何想法我做错了什么？

Any ideas what I do wrong?

PS：我发现了类似的问题 AWS VPC Lambda函数不断失去Internet访问权限和为什么AWS Lambda在VPC中起作用有时会超时但有时会正常工作？

P.S.: I found similar issues AWS VPC Lambda Function keeps losing internet access and Why AWS lambda functions In a VPC sometimes timeout and sometimes work fine?

UPD

已添加路线，现在可以使用

Added Route and it works now

  RouteTableBPrivateInternetRoute:
    Type: AWS::EC2::Route
      Properties:
        RouteTableId: !Ref RouteTableBPrivate
        DestinationCidrBlock: '0.0.0.0/0'
        NatGatewayId: !Ref NatGateway

推荐答案

用于AWS Lambda函数要在VPC内部运行以便能够访问VPC外部的资源（例如Internet），它必须位于私有服务器中带有NAT网关的bnet。在您的实例中，私有子网A是唯一具有适当配置的子网，以允许Lambda函数访问Internet。因此，您需要编辑Lambda函数的配置以仅在该子网中运行。

For an AWS Lambda function running inside a VPC to be able to access resources outside the VPC (such as the Internet), it must be in a private subnet with a NAT gateway. In your instance Private Subnet A is the only subnet with the appropriate configuration to allow a Lambda function to access the Internet. So you need to edit your Lambda function's configuration to only run in that subnet.

这篇关于VPC中的AWS Lambda有时无法访问互联网的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！