AWS Lambda 连接到 RedShift 超时 [英] AWS Lambda times out connecting to RedShift

问题描述

我的 Redshift 集群位于私有 VPC 中.我在 Node.js 中编写了以下 AWS Lamba，它应该连接到 Redshift(针对这个问题进行了打扮):

My Redshift cluster is in a private VPC. I've written the following AWS Lamba in Node.js which should connect to Redshift (dressed down for this question):

'use strict';
console.log('Loading function');

const pg = require('pg');

exports.handler = (event, context, callback) => {
var client = new pg.Client({
    user: 'myuser',
    database: 'mydatabase',
    password: 'mypassword',
    port: 5439,
    host: 'myhost.eu-west-1.redshift.amazonaws.com'
});


    // connect to our database
    console.log('Connecting...');
    client.connect(function (err) {
        if (err) throw err;

        console.log('CONNECTED!!!');

    });

};

不幸的是，我不断收到任务在 60.00 秒后超时.我在日志中看到Connecting..."，但从来没有CONNECTED!!!".

I keep getting Task timed out after 60.00 seconds unfortunately. I see in the logs "Connecting...", but never "CONNECTED!!!".

到目前为止我已经采取的步骤:

Steps I've taken so far to get this to work:

• 根据 在不同的可用性中将 Lambda 连接到 Redshift区域 我在同一个 VPC
中有 Redshift 集群和 Lamba 功能
• 此外，Redshift 集群和 Lamba 功能位于同一子网
• Redshift 集群和 Lamba 函数共享相同的安全组
• 按照此处的建议在 Redshift 集群的安全组中添加了入站规则 (https://github.com/awslabs/aws-lambda-redshift-loader/issues/86)
• 与 Lamba 函数关联的 IAM 角色 具有以下策略:AmazonDMSRedshiftS3Role、AmazonRedshiftFullAccess、AWSLambdaBasicExecutionRole、AWSLambdaVPCAccessExecutionRole、AWSLambdaENIManagementAccess 来自此来源:http://docs.aws.amazon.com/lambda/latest/dg/vpc.html(我意识到我在这里有一些重叠，但认为这无关紧要)
• 根据之前列出的问题的答案，将弹性 IP 添加到安全组的入站规则中(即使我什至没有在子网中配置 NAT 网关)
• 我没有启用增强型 VPC 路由，因为我认为我不需要它.
• 甚至通过在安全组中添加入站规则 0.0.0.0/0 所有类型、所有协议、所有端口 来尝试它(遵循这个问题:从 Lambda 访问 Redshift - 避免 0.0.0.0/0 安全组).但同样的问题！

• As per Connect Lambda to Redshift in Different Availability Zones I have the Redshift cluster and the Lamba function in the same VPC
• Also Redshift cluster and the Lamba function are on the same subnet
• The Redshift cluster and the Lamba function share the same security group
• Added an inbound rule at the security group of the Redshift cluster as per the suggestion here (https://github.com/awslabs/aws-lambda-redshift-loader/issues/86)
• The IAM role associated with the Lamba Function has the following policies: AmazonDMSRedshiftS3Role, AmazonRedshiftFullAccess, AWSLambdaBasicExecutionRole, AWSLambdaVPCAccessExecutionRole, AWSLambdaENIManagementAccess scrambled together from this source: http://docs.aws.amazon.com/lambda/latest/dg/vpc.html (I realize I have some overlap here, but figured that it shouldn't matter)
• Added Elastic IP to the Inbound rules of the Security Group as per an answer from a question listed prior (even if I don't even have a NAT gateway configured in the subnet)
• I don't have Enhanced VPC Routing enabled because I figured that I don't need it.
• Even tried it by adding the Inbound rule 0.0.0.0/0 ALL types, ALL protocols, ALL ports in the Security Group (following this question: Accessing Redshift from Lambda - Avoiding the 0.0.0.0/0 Security Group). But same issue!

那么，有人对我应该检查什么有什么建议吗?

So, does anyone have any suggestions as to what I should check?

*我应该补充一点，我不是网络专家，所以也许我在某处犯了错误.

*I should add that I am not a network expert, so perhaps I've made a mistake somewhere.

推荐答案

超时可能是因为您在 VPC 中的 lambda 无法访问 Internet 以连接到您的集群(您似乎正在使用公共主机名进行连接).您的连接选项取决于您的集群配置.由于您的 lambda 函数和集群都在同一个 VPC 中，您应该使用集群的私有 IP 来连接到它.就您而言，我认为只需使用私有 IP 就可以解决您的问题.

The timeout is probably because your lambda in VPC cannot access Internet in order to connect to your cluster(you seem to be using the public hostname to connect). Your connection options depend on your cluster configuration. Since both your lambda function and cluster are in the same VPC, you should use the private IP of your cluster to connect to it. In your case, I think simply using the private IP should solve your problem.

根据您的集群是否可公开访问，有几点需要牢记.

Depending on whether your cluster is publicly accessible, there are some points to keep in mind.

• 如果您的集群配置为不可可公开访问，您可以使用私有 IP 连接到集群，从您在 VPC 中运行的 lambda 和它应该可以工作.

• If your cluster is configured to NOT be publicly accessible, you can use the private IP to connect to the cluster from your lambda running in a VPC and it should work.

如果您在 VPC 中有一个可公开访问的集群，并且您想要使用 VPC 中的私有 IP 地址连接到它，确保以下 VPC 参数为 true/yes:

If you have a publicly accessible cluster in a VPC, and you want to connect to it by using the private IP address from within the VPC, make sure the following VPC parameters to true/yes:

• DNS 解析
• DNS 主机名

提供了验证/更改这些设置的步骤 此处.

The steps to verify/change these settings are given here.

如果您不将这些参数设置为 true，来自 VPC 内的连接将解析为 EIP 而不是私有 IP，并且您的 lambda 将无法在没有 Internet 的情况下连接访问(这将需要一个 NAT 网关或一个 NAT 实例).

If you do not set these parameters to true, connections from within VPC will resolve to the EIP instead of the private IP and your lambda won't be able to connect without having Internet access(which will need a NAT gateway or a NAT instance).

另外，来自文档注意="noreferrer">此处.

Also, an important note from the documentation here.

如果您在 VPC 中有一个现有的可公开访问的集群，来自 VPC 内部的连接将继续使用 EIP即使设置了这些参数，也可以连接到集群，直到您调整大小集群.任何新集群都将遵循使用的新行为连接到可公开访问的私有 IP 地址来自同一 VPC 的集群.

If you have an existing publicly accessible cluster in a VPC, connections from within the VPC will continue to use the EIP to connect to the cluster even with those parameters set until you resize the cluster. Any new clusters will follow the new behavior of using the private IP address when connecting to the publicly accessible cluster from within the same VPC.

这篇关于AWS Lambda 连接到 RedShift 超时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！