VPC中Lambda的SQS超时 [英] SQS Timeout from Lambda within VPC

问题描述

我有一个Lambda，需要在VPC上才能与RDS和AWSDocumentDB等受保护的资源进行对话.它还需要能够看到外界对第三方API的一些调用.为此，我使用了VPC向导来创建同时具有公共子网和私有子网的VPC.该向导还创建并附加了Internet网关.

I have a Lambda that needs to be on a VPC to talk to protected resources like RDS and AWSDocumentDB. It also needs to be able to see the outside world for some calls to 3rd party APIs. To do this I used the VPC wizard to create a VPC that had both public and private subnets. The wizard also created and attached an Internet Gateway.

此后，我将Lambda，RDS实例和DocumentDb群集附加到了VPC.从那以后，但是我一直无法使用NodeJS aws-sdk在我的lambda中与我的SQS队列进行对话.

After this I attached my Lambda, RDS instance and DocumentDb cluster to the VPC. Since then, however I have been unable to talk to my SQS queues from within my lambda using the NodeJS aws-sdk.

我想补充一点，我已经阅读并实现了以下几点:

I want to add that I have read and implemented some points from: AWS Lambda: Unable to access SQS Queue from a Lambda function with VPC access however I am still unable to connect.

这就是我所拥有的:

1. VPC:

1. VPC:

• VPC具有公共和专用子网以及IG网关.我使用向导来创建它.我不太了解这里的基础.
• VPC配置(对不起，它是一个链接，不会让我嵌入还没.)
• CIDR -向导创建了除最后一个块以外的所有块.我不确定我是否正确执行此操作，甚至不确定是否重要，因为向导使我至少创建了一个，而我这样做是为了避免IP重叠.
• 由于这是一个dev/prototype项目，因此附加到VPC的安全组是完全开放的".允许所有入站和出站.
• 让我知道要显示什么其他VPC配置，因为不确定是否有用

• VPC has public and private subnets, and an IG Gateway. I used the wizard to create it. I don't understand much of the underpinnings here.
• VPC Config (sorry it's a link, it won't let me embed yet.)
• CIDR's- the wizard created all but the last block. I am unsure if I did this right or if it even matters as the wizard made me create at least one and I did that to avoid IP overlap.
• As this is a dev/prototype project the security group attached to the VPC is 'wide open'. All inbound and outbound is allowed.
• Let me know what other VPC config to show as I'm not sure what's useful

服务端点:

• 我尝试根据上面链接的文章为SQS创建服务终结点，这就是我所拥有的:端点配置
• 我将在Lambda部分中详细介绍如何使用它.
• 端点已连接到VPC

Lambda:

• 我将Lambda附加到了VPC 如此处所示.
>
• 这使我可以与公开的第三方api和受保护的资源进行对话.我希望拥有一个开放的SG仍然可以让我的lambda与SQS进行交流，但是它会保持超时.
• 我不确定在我的Lambda中使用哪个URL 作为端点.此处的示例: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-sending-messages-from-vpc.html 看起来它仍在使用区域端点.

• I have the Lambda attached to the VPC as shown here.
• This allows me to talk to public 3rd party api's and my protected resources. It was my hope that having a wide open SG would still allow my lambda to talk to SQS but it keeps timing out.
• I am unsure which url to use in my Lambda for my endpoint. The example here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-sending-messages-from-vpc.html looks like it still uses the regional endpoint.

代码

• 这是我的代码中SQS调用的样子:

• Here is what the SQS invocation looks like from within my code:

const {SQS} = require('aws-sdk');

// Constructor Init
const sqs = new SQS({
   apiVersion: '2012-11-05', 
   endpoint: 'https://sqs.us-west-2.amazonaws.com', // not sure if this is 'invoking' the vpc endpoint or not
   region: 'us-west-2'
});

// Send message
await sqs.sendMessage({
   MessageBody: 'Test body',
   QueueUrl: 'https://sqs.us-west-2.amazonaws.com/<rest of URI>',
   MessageAttributes: {...someAttrs}
}).promise();

感谢您的帮助，请让我知道我还能提供什么其他信息.

Appreciate any help, please let me know what other information I can provide.

谢谢！

**编辑**

我还应该提到，为了规避整个问题，我开始着手使用SQS作为Lambda目的地.尽管这确实将消息注入到目标队列中，但可能不会随我的用例扩展.如果需要的话，我可以进一步详细说明，因为它与实际问题并不完全相关.

I should also mention that to circumvent this whole issue I started to go down the road of using SQS as a Lambda Destination. While this does inject messages into the target queue, it likely will not scale with my use case. I can elaborate on that further if needed as it isn't totally pertinent to the actual question.

**编辑8/31/20 **

** EDIT 8/31/20 **

感谢所有答复，这是很大的帮助，使我得以解决.我要说的是，对发现此帖子的其他人都是第一眼:

Thanks for all the responses, it was a great help and got me to a resolution. I will say that to anyone else who finds this post is to first watch:

https://www.youtube.com/watch?v=JcRKdEP94jM

这是我希望在开始所有这些操作之前发现的内容，因为尽管它专门针对提供lambda互联网访问，但它经历了将IG和Nats映射到子网的过程，这实际上是我在配置错误的地方我的VPC.通过这段视频，我去了并重新创建了我的整个VPC，它使链接点变得更加干净和容易.10/10推荐.

This is something that I wish I found before I started all of this because, while it's specifically targets to giving lambdas internet access, it goes through the process of mapping IG's and Nats to subnets which is really where I was mis-configuring my vpc. With this video I went and re-created my entire VPC and it is so much cleaner and easier to connect the dots. 10/10 recommend.

再次感谢！

推荐答案

我对此的直觉是，您的网络配置中某处缺少一条规则-数据包被丢弃到您的SQS或返回的途中(两者都需要一跳一跳地思考.

My hunch on this one is that there is a missing rule somewhere in your network configuration - Packets getting dropped either toward your SQS, or on their way back (both need thought through hop by hop).

想到的三件事:

1. 路由:确保子网和路由表具有适当的路由，以将数据包从SQS终结点所在的位置返回到专用子网.
2. 安全组-仔细查看所涉及的每个SG.例如，SQS可能位于限制访问它的SG中.
3. 网络ACL-它们是无状态的，因此您需要确保双方都是开放的，并且请记住，在大多数情况下，会涉及随机的端口号，并返回到请求者.

祝你好运！

这篇关于VPC中Lambda的SQS超时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！