如何使用VPC端点从VPC中的Lambda发布到SNS? [英] How to publish to SNS from Lambda within VPC using VPC Endpoint?

问题描述

我设置了一个具有3个子网的VPC，可以从我的Lambda函数访问私有RDS实例.RDS<-> Lambda连接可以正常工作，但是现在我无法发布到SNS.

I have set up a VPC with 3 subnets, this to have access to a private RDS instance from my Lambda functions. The RDS <-> Lambda connection works fine, however now I'm not able to publish to SNS.

我发现宣布了对SNS的VPC端点支持(包括此博客文章

I found the announcement of VPC Endpoint support for SNS (incl. this blog post https://aws.amazon.com/blogs/security/securing-messages-published-to-amazon-sns-with-aws-privatelink/) and have added a VPC Endpoint Interface with these properties:

Service name: com.amazonaws.eu-west-1.sns
VPC: same as Lambda functions and other services
Subnets: all included in my VPC (have also tested toggling them individually)
Security Groups: all VPC security groups selected

所有服务都位于 eu-west-1 地区.我知道发布到SNS的代码是正确的，因为它可以在非VPC环境中运行.我要发布的ARN保持不变: arn:aws:sns:eu-west-1:962446592636:任何内容.

All the services are in the eu-west-1 region. I know the code that publish to SNS is correct, as it works when run in a non-VPC environment. The ARN I'm publishing to has remained unchanged: arn:aws:sns:eu-west-1:962446592636:whatever.

我知道可以设置NAT服务器来避免此问题，但如果可能的话，我希望使用VPC端点来降低成本.

I'm aware that a NAT server could be set up to avoid this issue, but I'd prefer to use VPC Endpoints if possible to reduce costs.

推荐答案

它对我有用！

我做了以下事情:

• 创建一个 Amazon SNS主题并订阅
• 创建了没有VPC配置的 AWS Lambda函数，该函数会将消息发送到SNS主题
• 测试了Lambda函数-收到消息
• 创建具有两个私有子网的 VPC
• 在专用子网中创建了 SNS服务端点，其中的安全组允许 0.0.0.0/0 中的所有TCP (对于测试目的)
• 修改了Lambda函数以使用私有子网
• 测试了Lambda函数-收到消息

• Created an Amazon SNS topic and subscribed to it
• Created an AWS Lambda function with no VPC configuration, which sends a message to the SNS topic
• Tested the Lambda function -- message received
• Created a VPC with a two private subnets
• Created a Service Endpoint for SNS in the private subnets, with a Security Group allowing All TCP from 0.0.0.0/0 (for testing purposes)
• Modified the Lambda function to use the private subnets
• Tested the Lambda function -- message received

因此，一切正常.我不必修改任何Lambda代码.

So, everything worked fine. I didn't have to modify any Lambda code.

我的Lambda代码:

My Lambda code:

def lambda_handler(event, context):
    import boto3

    client = boto3.client('sns', region_name='ap-southeast-2')
    response = client.publish(
        TopicArn='arn:aws:sns:ap-southeast-2:123456789012:stack',
        Message='From Lambda'
        )

    return

这篇关于如何使用VPC端点从VPC中的Lambda发布到SNS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！