在不同的可用区域中将Lambda连接到Redshift [英] Connect Lambda to Redshift in Different Availability Zones

问题描述

我们的Redshift集群位于A区.

Our Redshift cluster resides in Zone A.

当我们的Lambda函数使用区域A子网时，它可以连接到Redshift.

When our Lambda function uses a Zone A subnet, it can connect to Redshift.

当我们的Lambda函数使用区域A以外的子网时，它将超时.

When our Lambda function uses a subnet other than Zone A, it times out.

不需要解决该问题，因为我们不允许从0.0.0.0/0允许5439端口上的Redshift连接.

The work around, where we ALLOW connections for Redshift on port 5439 from 0.0.0.0/0, is not desired.

• 我们在同一VPC中拥有Lambda函数和Redshift集群.
• Lambda函数具有4个专用子网(每个区域一个)
• Redshift每个区域还具有4个专用子网
• Lambda函数具有自己的安全组(SG)
• Redshift集群也有它自己的SG.
• Lambda SG和Admin SG的Redshift SG允许端口5439
• Enhanced VPC Routing已启用
• Cluster Subnet Groups包括所有4个Redshift子网(每个区域一个)
• 在Redshift SG上从0.0.0.0/0允许端口5439时没有问题
• 当我们禁用0.0.0.0/0规则时，用于REJECT的流日志在A区域到A区域工作正常，但从其他区域到A区域则无法正常工作.
• 所有Lambda子网都使用区域A中存在的NAT
• 所有Redshift子网都使用
中存在的IGW
• 所有网络ACL当前都允许所有(默认)

• We have our Lambda functions and Redshift cluster in the same VPC.
• Lambda functions have 4 dedicated subnets (one per zone)
• Redshift has 4 dedicated subnets per zone as well
• Lambda functions have their own security group (SG)
• The Redshift cluster has it's own SG as well.
• Redshift SG ALLOWs port 5439 from Lambda SG and Admin SG
• Enhanced VPC Routing is enabled
• Cluster Subnet Groups include all 4 Redshift subnets (one per zone)
• No issues when allowing port 5439 from 0.0.0.0/0 on Redshift SG
• Flow logs for REJECT work fine from Zone A to Zone A, but not from other zones to Zone A when we disable 0.0.0.0/0 rule.
• All Lambda subnets use a NAT that exists in Zone A
• All Redshift subnets use an IGW that exists in
• All Network ACLs currently allow all (default)

推荐答案

我也遇到了类似情况.将NAT网关的弹性ip添加到Redshift的5439端口安全组的入站规则中，为我修复了它.

I was stuck in a similar situation. Adding the NAT gateway's elastic ip to the inbound rule of Redshift's security group for port 5439 fixed it for me.

步骤:

• 使用NAT网关(subnet-abc)检查lambda的专用子网
• 转到VPC控制台>子网> subnet-abc>路由表
• 在路由表路由中，您可以找到所使用的NAT网关(nat-abcdefg)
• 转到VPC控制台> NAT网关> nat-abcdefg.获取此NAT网关使用的elastic-ip. (xx.yy.zz.pqr)
• 在redshift的安全组中为该Elastic-ip添加入站规则(端口= 5439 CIDR xx.yy.zz.pqr/32)

Volla！ Lambda连接到redshift.

Volla! Lambda connects to redshift.

但是，在执行此操作之前，应将lambda与redshift配置在同一VPC中，并按照OP建议使用适当的专用子网(配置为使用NAT网关).

Though, before doing this, lambda should be configured in the same VPC as redshift and using the appropriate private subnet (configured to use NAT gateway) as OP suggested.

这篇关于在不同的可用区域中将Lambda连接到Redshift的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！