VPC中的Lambda功能无法访问公共互联网 [英] Lambda function within VPC doesn't have access to public Internet

问题描述

我正在尝试从Lambda函数中向第三方服务发出出站API请求，但是该函数总是超时而没有任何错误.

I am trying to make an outbound API request to a third-party service from within a Lambda function, but the function always times out without any error.

以前在尝试在其他功能(仍在同一VPC/子网内)中执行s3.putObject操作时发生过，我设法通过添加服务名称为com.amazonaws.us-east-1.s3的端点并将其连接来解决此问题到与此Lambda函数所驻留的VPC关联的路由表.

This previously happened when trying to perform a s3.putObject operation within a different function (still within the same VPC / subnets), and I managed to get around that by adding an Endpoint with a service name com.amazonaws.us-east-1.s3 and connecting it to the route table that is associated with the VPC that this Lambda function resides in.

在网络"框内的Lambda仪表板->安全组"部分中，我看到此警告:

Within the Lambda dashboard inside Network box -> Security Groups section, I see this warning:

启用VPC后，您的Lambda功能将失去默认的Internet 使用权.如果您需要外部互联网访问以实现其功能， 确保您的安全组允许出站连接，并且 您的VPC具有NAT网关.

When you enable VPC, your Lambda function will lose default internet access. If you require external internet access for your function, ensure that your security group allows outbound connections and that your VPC has a NAT gateway.

我认为，此安全组基于下面的出站规则"表允许出站连接:

I believe that this security group allows outbound connections, based off of the Outbound rules table right underneath:

对于第二个要求，我可以确认该VPC具有一个NAT网关，因为在VPC仪表板上的NAT Gateways选项卡中，出现的那个具有与之关联的VCP，并且该VPC是托管该VPC的那个Lambda函数.

For that second requirement, I can confirm this VPC has a NAT gateway, because on the VPC Dashboard, within NAT Gateways tab, the one that appears there has a VCP associated with it, and that VPC is the same one hosting the Lambda function.

我按照指南创建了流量日志" 监视进出VPC的流量，希望看到那些出站请求确实被拒绝了.但是，这样做并检查了CloudWatch日志后，所有记录都以ACCEPT OK或NODATA结尾.

I followed a guide to create a Flow Log to monitor traffic in and out of the VPC, hoping to see that those outbound requests are indeed rejected. However, after doing so and inspecting the CloudWatch logs, all of the records end in either ACCEPT OK or NODATA.

如何为我的VPC Lambda函数授予Internet访问权限?是我最初尝试遵循的指南，但是在To create a public or private subnet下我陷入了第4步:

How can I grant internet access to my VPC Lambda function? is the guide I originally tried to follow, but I got stuck on step 4 under To create a public or private subnet:

1. 从更改为:"下拉菜单中，选择适当的路由表: 对于专用子网，默认路由应指向NAT网关 或NAT实例:

1. From the Change to: drop-down menu, choose an appropriate route table: For a private subnet, the default route should point to a NAT gateway or NAT instance:

目的地:0.0.0.0/0 目标:nat-…(或eni-…) 对于公共子网， 默认路由应指向Internet网关:

Destination: 0.0.0.0/0 Target: nat-… (or eni-…) For a public subnet, the default route should point to an internet gateway:

目的地:0.0.0.0/0 目标:igw-…

Destination: 0.0.0.0/0 Target: igw-…

对于此VPC中的所有四个子网，单击Change to:右侧的下拉列表仅显示一个选项，即已选择的一个选项rtb-xxxxxxxx.单击该路由表的链接，然后单击摘要"旁边的路由"选项卡后，我看到以下内容:

For all four of the subnets within this VPC, clicking the drop-down to the right of Change to: only showed one option, the one already selected, rtb-xxxxxxxx. After clicking on the link to that route table, and clicking the Routes tab next to Summary, I see this:

阻止Lambda函数访问Internet的错误是什么?

What might I be doing wrong that is blocking the Lambda function's access to the Internet?

推荐答案

Lambda要通过VPC访问互联网，应该位于Private Subnet中并附有NAT Gateway.

For Lambda to have access to the internet via VPC it should be in the Private Subnet with NAT Gateway attached.

根据您的屏幕截图，连接到子网的路由表带有igw-xxxxxxx附加，使您当前的子网成为public subnet.

As per your screenshots, route table attached to subnet has igw-xxxxxxx attached making your current subnet a public subnet.

为使事情正常进行，您可以执行以下操作:

在当前subnet的路由表中
• 附加NAT Gateway而不是igw-xxxxxx

• Attach NAT Gateway instead of igw-xxxxxx in route table of your current subnet

OR

• 找到附加到Lambda的ENI，如果要访问Internet，请附加Elastic IP.

OR

根据@John Rotenstein，如果您的Lambda不需要VPC资源，则可以将Lambda移出VPC

As per @John Rotenstein if your Lambda doesnt need VPC recources you can move Lambda out of VPC

这篇关于VPC中的Lambda功能无法访问公共互联网的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！