在不同的可用区域中将Lambda连接到Redshift [英] Connect Lambda to Redshift in Different Availability Zones
问题描述
我们的Redshift集群位于A区.
Our Redshift cluster resides in Zone A.
当我们的Lambda函数使用区域A子网时,它可以连接到Redshift.
When our Lambda function uses a Zone A subnet, it can connect to Redshift.
当我们的Lambda函数使用区域A以外的子网时,它将超时.
When our Lambda function uses a subnet other than Zone A, it times out.
不需要解决该问题,因为我们不允许从0.0.0.0/0允许5439端口上的Redshift连接.
The work around, where we ALLOW connections for Redshift on port 5439 from 0.0.0.0/0, is not desired.
- 我们在同一VPC中拥有Lambda函数和Redshift集群.
- Lambda函数具有4个专用子网(每个区域一个)
- Redshift每个区域还具有4个专用子网
- Lambda函数具有自己的安全组(SG)
- Redshift集群也有它自己的SG.
- Lambda SG和Admin SG的Redshift SG允许端口5439
-
Enhanced VPC Routing
已启用 -
Cluster Subnet Groups
包括所有4个Redshift子网(每个区域一个) - 在Redshift SG上从0.0.0.0/0允许端口5439时没有问题
- 当我们禁用0.0.0.0/0规则时,用于REJECT的流日志在A区域到A区域工作正常,但从其他区域到A区域则无法正常工作.
- 所有Lambda子网都使用区域A中存在的NAT
- 所有Redshift子网都使用 中存在的IGW
- 所有网络ACL当前都允许所有(默认)
- We have our Lambda functions and Redshift cluster in the same VPC.
- Lambda functions have 4 dedicated subnets (one per zone)
- Redshift has 4 dedicated subnets per zone as well
- Lambda functions have their own security group (SG)
- The Redshift cluster has it's own SG as well.
- Redshift SG ALLOWs port 5439 from Lambda SG and Admin SG
Enhanced VPC Routing
is enabledCluster Subnet Groups
include all 4 Redshift subnets (one per zone)- No issues when allowing port 5439 from 0.0.0.0/0 on Redshift SG
- Flow logs for REJECT work fine from Zone A to Zone A, but not from other zones to Zone A when we disable 0.0.0.0/0 rule.
- All Lambda subnets use a NAT that exists in Zone A
- All Redshift subnets use an IGW that exists in
- All Network ACLs currently allow all (default)
推荐答案
我也遇到了类似情况.将NAT网关的弹性ip添加到Redshift的5439端口安全组的入站规则中,为我修复了它.
I was stuck in a similar situation. Adding the NAT gateway's elastic ip to the inbound rule of Redshift's security group for port 5439 fixed it for me.
步骤:
- 使用NAT网关(subnet-abc)检查lambda的专用子网
- 转到VPC控制台>子网> subnet-abc>路由表
- 在路由表路由中,您可以找到所使用的NAT网关(nat-abcdefg)
- 转到VPC控制台> NAT网关> nat-abcdefg.获取此NAT网关使用的elastic-ip. (xx.yy.zz.pqr)
- 在redshift的安全组中为该Elastic-ip添加入站规则(端口= 5439 CIDR xx.yy.zz.pqr/32)
Volla! Lambda连接到redshift.
Volla! Lambda connects to redshift.
但是,在执行此操作之前,应将lambda与redshift配置在同一VPC中,并按照OP建议使用适当的专用子网(配置为使用NAT网关).
Though, before doing this, lambda should be configured in the same VPC as redshift and using the appropriate private subnet (configured to use NAT gateway) as OP suggested.
这篇关于在不同的可用区域中将Lambda连接到Redshift的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!