AWS Lambda:如何为具有VPC访问权限的lambda功能设置NAT网关 [英] AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access
问题描述
根据此文档,如果我需要通过具有VPC访问权限的Lambda函数访问Internet资源,我需要设置NAT网关.
As per this document, if I need to access internet resources from my Lambda function with VPC access, I need to set up a NAT gateway.
所以我遵循了本指南设置NAT网关.但是,在我需要编辑子网的路由表以添加目标地址为0.0.0.0/0并将目标作为NAT网关ID的阶段时,出现了
So I followed this guide to set up a NAT gateway. However, at the stage when I need to edit the route tables of my subnet to add an entry with destination: 0.0.0.0/0 and target as my NAT gateway's id, I got an error that
An entry with this destination already exists
我检查并注意到,对于该现有条目,目标是我的VPC的Internet网关.如果用NAT网关ID替换该条目,则无法从外部通过SSH访问该VPC中的任何EC2实例.如何在此VPC中的所有EC2实例上实现解决方案:
I checked and noticed that for that existing entry, the target was an internet gateway for my VPC. If I replace that entry with the NAT gateway id, I cannot access any of the EC2 instances in that VPC through SSH from the outside world. How can I achieve a solution where all the EC2 instances in this VPC:
- 只能通过SSH访问,其余流量被阻止
- 能够完全访问同一VPC中的其他EC2实例
- 可以访问此VPC的Lambda函数可以访问外部资源,例如SQS和Kinesis.
推荐答案
您需要IGW和NAT网关才能正常工作.
You need both the IGW and the NAT gateway for this to work.
在公共子网(您要从外部访问的子网)中,将0.0.0.0/0流量指向IGW网关. NAT网关本身需要位于这些公共子网之一中.
In the public subnets (ones you want to reach from outside) point the 0.0.0.0/0 traffic to the IGW gateway. The NAT gateway itself needs to sit in one of these public subnets.
在要进行NAT的专用子网中,将0.0.0.0/0流量指向NAT网关弹性网络接口.
In the private subnets that you want to NAT point 0.0.0.0/0 traffic to the NAT gateway elastic network interface.
如果0.0.0.0/0被铅绑定到网关,则需要将其删除并添加到NAT网关.
If 0.0.0.0/0 is aleady bound to the gateway you need to remove that and add it pointing the NAT gateway.
请参阅: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
这篇关于AWS Lambda:如何为具有VPC访问权限的lambda功能设置NAT网关的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
