VPC 中的 Lambda 函数无法访问公共 Internet [英] Lambda function within VPC doesn't have access to public Internet
问题描述
我正在尝试从 Lambda 函数内向第三方服务发出出站 API 请求,但该函数总是超时且没有任何错误.
这之前在尝试在不同的函数中执行 s3.putObject 操作时发生过(仍然在相同的 VPC/子网中),我设法通过添加一个带有服务的端点来解决这个问题命名 com.amazonaws.us-east-1.s3 并将其连接到与此 Lambda 函数所在的 VPC 关联的路由表.
在网络框内的 Lambda 仪表板 -> 安全组部分,我看到以下警告:
<块引用>当您启用 VPC 时,您的 Lambda 函数将失去默认互联网使用权.如果您的功能需要外部互联网访问,确保您的安全组允许出站连接并且您的 VPC 有一个 NAT 网关.
我相信这个安全组允许出站连接,基于下面的出站规则表:
对于第二个要求,我可以确认此 VPC 有一个 NAT 网关,因为在 VPC 仪表板上的 NAT 网关选项卡中,出现的那个有一个与之关联的 VCP,并且该 VPC 与托管Lambda 函数.
我按照指南创建了一个
我可能做错了什么,阻止了 Lambda 函数访问 Internet?
要让 Lambda 通过 VPC 访问互联网,它应该位于带有 NAT 网关私有子网中> 附上.
根据您的屏幕截图,附加到子网的路由表附有 igw-xxxxxxx,使您当前的子网成为 公共子网.
为了使事情顺利进行,您可以执行以下操作:
- 在当前
子网的路由表中附加
NAT网关而不是igw-xxxxxx或
- 找到附加到您的 Lambda 的 ENI 并附加
弹性 IP(如果您想访问互联网).
或
根据@John Rotenstein,如果您的 Lambda 不需要 VPC 资源,您可以将 Lambda 移出 VPC
I am trying to make an outbound API request to a third-party service from within a Lambda function, but the function always times out without any error.
This previously happened when trying to perform a s3.putObject operation within a different function (still within the same VPC / subnets), and I managed to get around that by adding an Endpoint with a service name com.amazonaws.us-east-1.s3 and connecting it to the route table that is associated with the VPC that this Lambda function resides in.
Within the Lambda dashboard inside Network box -> Security Groups section, I see this warning:
When you enable VPC, your Lambda function will lose default internet access. If you require external internet access for your function, ensure that your security group allows outbound connections and that your VPC has a NAT gateway.
I believe that this security group allows outbound connections, based off of the Outbound rules table right underneath:
For that second requirement, I can confirm this VPC has a NAT gateway, because on the VPC Dashboard, within NAT Gateways tab, the one that appears there has a VCP associated with it, and that VPC is the same one hosting the Lambda function.
I followed a guide to create a Flow Log to monitor traffic in and out of the VPC, hoping to see that those outbound requests are indeed rejected. However, after doing so and inspecting the CloudWatch logs, all of the records end in either ACCEPT OK or NODATA.
How can I grant internet access to my VPC Lambda function? is the guide I originally tried to follow, but I got stuck on step 4 under To create a public or private subnet:
From the Change to: drop-down menu, choose an appropriate route table: For a private subnet, the default route should point to a NAT gateway or NAT instance:
Destination: 0.0.0.0/0 Target: nat-… (or eni-…) For a public subnet, the default route should point to an internet gateway:
Destination: 0.0.0.0/0 Target: igw-…
For all four of the subnets within this VPC, clicking the drop-down to the right of Change to: only showed one option, the one already selected, rtb-xxxxxxxx. After clicking on the link to that route table, and clicking the Routes tab next to Summary, I see this:
What might I be doing wrong that is blocking the Lambda function's access to the Internet?
For Lambda to have access to the internet via VPC it should be in the Private Subnet with NAT Gateway attached.
As per your screenshots, route table attached to subnet has igw-xxxxxxx attached making your current subnet a public subnet.
So to make things work, you can do following:
- Attach
NAT Gatewayinstead ofigw-xxxxxxin route table of your currentsubnet
OR
- Find ENI attached to your Lambda and attach
Elastic IPif you want to have internet access.
OR
As per @John Rotenstein if your Lambda doesnt need VPC recources you can move Lambda out of VPC
这篇关于VPC 中的 Lambda 函数无法访问公共 Internet的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
