AWS Lambda:如何为具有 VPC 访问权限的 lambda 函数设置 NAT 网关 [英] AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access
问题描述
根据本文档,如果我需要访问来自具有 VPC 访问权限的 Lambda 函数的 Internet 资源,我需要设置一个 NAT 网关.
As per this document, if I need to access internet resources from my Lambda function with VPC access, I need to set up a NAT gateway.
所以我按照本指南设置NAT网关.但是,在我需要编辑子网的路由表以添加目的地为 0.0.0.0/0 并将目标作为我的 NAT 网关 ID 的条目的阶段,我收到了一个错误
So I followed this guide to set up a NAT gateway. However, at the stage when I need to edit the route tables of my subnet to add an entry with destination: 0.0.0.0/0 and target as my NAT gateway's id, I got an error that
An entry with this destination already exists
我检查并注意到,对于该现有条目,目标是我的 VPC 的 Internet 网关.如果我用 NAT 网关 ID 替换该条目,则无法从外部通过 SSH 访问该 VPC 中的任何 EC2 实例.我怎样才能实现一个解决方案,在这个 VPC 中的所有 EC2 实例:
I checked and noticed that for that existing entry, the target was an internet gateway for my VPC. If I replace that entry with the NAT gateway id, I cannot access any of the EC2 instances in that VPC through SSH from the outside world. How can I achieve a solution where all the EC2 instances in this VPC:
- 只能通过 SSH 访问,其余流量被阻止
- 能够完全访问同一 VPC 中的其他 EC2 实例
- 有权访问此 VPC 的 Lambda 函数可以访问 SQS 和 Kinesis 等外部资源.
推荐答案
您需要 IGW 和 NAT 网关才能使其工作.
You need both the IGW and the NAT gateway for this to work.
在公共子网(您希望从外部访问的子网)中,将 0.0.0.0/0 流量指向 IGW 网关.NAT 网关本身需要位于这些公共子网之一中.
In the public subnets (ones you want to reach from outside) point the 0.0.0.0/0 traffic to the IGW gateway. The NAT gateway itself needs to sit in one of these public subnets.
在您希望将 0.0.0.0/0 流量 NAT 指向 NAT 网关弹性网络接口的私有子网中.
In the private subnets that you want to NAT point 0.0.0.0/0 traffic to the NAT gateway elastic network interface.
如果 0.0.0.0/0 已经绑定到网关,您需要删除它并添加它指向 NAT 网关.
If 0.0.0.0/0 is aleady bound to the gateway you need to remove that and add it pointing the NAT gateway.
见:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
这篇关于AWS Lambda:如何为具有 VPC 访问权限的 lambda 函数设置 NAT 网关的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!