添加VPC配置后,调用Lambda会超时 [英] Invoking the lambda gets timed out after adding VPC configurations
问题描述
我正在使用无服务器框架来创建lambda.我创建了一个简单的Lambda函数,该函数从mongo实例查询并返回响应.最初,我使用publicIp创建了mongo实例,并使用publicIP使Lambda访问该实例.效果很好.
I am using serverless framework for creating lambdas. I created a simple Lambda function, which queries from an mongo instance and returns the response. Initially, I created the mongo instance with publicIp and made the Lambda access that instance with publicIP. It worked well.
现在,为了提高安全性,我在Lambda中添加了VPC配置.这是我的 serverless.yml:
Now, in order to increase the security, I added the VPC configuration to the Lambda. Here is my serverless.yml:
functions:
graphql:
handler: handler.graphql
iamRoleStatements:
- Effect: Allow
Resource: "*"
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DetachNetworkInterface
- ec2:DeleteNetworkInterface
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
vpc:
securityGroupIds:
- sg-16f9e371
subnetIds:
- subnet-883a12fe
- subnet-3f7b1067
events:
- http:
path: graphql
method: post
integration: lambda
memorySize: 256
timeout: 10
cors: true
response:
headers:
Access-Control-Allow-Origin: "'*'"
添加以上配置后,serverless deployment成功.现在,当我尝试通过邮递员中的APIGateway URL访问该函数时,出现超时错误.这是邮递员的屏幕截图:
Adding the above configuration, the serverless deployment was successful. Now when I tried to access the function by invoking the APIGateway URL in postman, I get an timeout error. Here is the screenshot of postman:
向Lambda添加 VPC配置是否通过公开调用使其无法访问?我很迷惑.任何对此的想法都会很棒.
Does adding the VPC configuration to Lambda make it inaccessible by invoking it publicly? I am confused. Any thoughts on this would be great.
推荐答案
您可以通过将Lambda附加到VPC来实现通过专用网络传输数据库流量的正确操作.否则,这是不必要的安全妥协,并且会降低Internet上的速度.
You do right by attaching the Lambda to the VPC for database traffic to be transmitted over a private network. It's an unnecessary security compromise otherwise, and slower over the Internet.
先前的回答是正确的,您现在在Lambda函数上附加了一个ENI,这意味着它在您的VPC子网中具有专用IP连接.我猜想您的MongoDB实例也位于您的VPC中,如果它在Internet上的其他位置,您应该将其保持为公开连接.
The previous answer is correct, you now have an ENI attached to your Lambda Function, which means it has a private IP connection on your VPC Subnet. I'm guessing that your MongoDB instance is in your VPC too, if it was elsewhere on the internet you should have kept it as publicly connected.
一些相关信息:
- 要与MongoDB实例通信,您现在需要连接到MongoDB EC2的私有IP地址.
- 确保已将安全组配置为与Lambda对话并进入EC2.
- 如有必要,请确保网络可路由.
- API网关仍可以调用VPC附加的Lambda函数并接收响应.
设计注意事项
我在类似情况下使用的模式组合:
A combination of patterns that I use for similar scenarios:
- 当您使用API Gateway和Lambda设计无服务器解决方案时,您应该遵循单一职责负责人,即每个功能都可以完成一件事.
- 因此,您具有一个功能("控制器"),该功能可以接收来自使用者的请求并负责协调流程(您也可以为此使用步进功能").控制器未连接VPC,并协调许多子功能.
- 交叉模式(我做了这一点)来从VPC附加资源(或通过DirectConnect)获取信息,您具有连接了VPC的Lambda函数.此功能只有一项工作,用于与VCP资源进行通信(读,写,API调用等).控制器使用针对VPC资源的请求详细信息调用此Lambda函数,并接收响应以进一步处理信息.这样,您可以将大多数无服务器应用程序保留在亚马逊生态系统中,以便它可以与无服务器资源(S3,DynamoDB,Kinesis,SQS等)进行本地通信,同时可以将请求发送到整个服务器环境.有点像DMZ.
- When you are designing a serverless solution with API Gateway and Lambda, you should follow the Single Responsibility Principal, i.e. each function does one thing and does it well.
- So you have one function ("The Controller") that receives the request from the consumer and has the job of coordinating the process (you could also use Step Functions for this). The Controller is not VPC attached and coordinates a number of child functions.
- Cross-over Pattern (I made this one up) to get information from a VPC attached resource (or via DirectConnect), you have a Lambda function that is VPC connected. This function has one job, to communicate with the VCP resource (read, write, api call, etc.). The Controller calls this Lambda function with the request details against the VPC resource, and receives the response for further processing of the information. This way you can keep the majority of your serverless app in the Amazon Ecosystem, so it can talk natively with serverless resources (S3, DynamoDB, Kinesis, SQS, etc.), while being able to send out requests to the serverfull world, a bit like a DMZ.
希望这会有所帮助.
这篇关于添加VPC配置后,调用Lambda会超时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
