为什么 VPC 中公有子网内的 AWS lambda 函数无法连接到 Internet? [英] Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet?
问题描述
我按照教程
对 http://www.google.com 的 GET 请求应该匹配 igw-XXXXXXXXX 目标.为什么互联网网关 (igw) 不能将请求传送到 http://www.google.com 并取回网站内容?
这篇文章说我必须设置私有子网内的 lambda 函数,以便访问互联网.
<块引用>如果您的 Lambda 函数需要访问私有 VPC 资源(对于例如,Amazon RDS 数据库实例或 Amazon EC2 实例),您必须将函数与 VPC 相关联.如果您的功能还需要互联网访问(例如,访问公共 AWS 服务端点),您的函数必须使用 NAT 网关或实例.
但这并没有解释为什么我不能在公共子网内设置 lambda 函数.
即使 Lambda 函数附加到 VPC 的公有子网,您的 Lambda 函数也无法访问 Internet 的原因是 Lambda 函数没有,并且不能拥有公共 IP 地址.除非您拥有公共 IP,否则无法通过 VPC 的 Internet 网关将流量发送到 Internet.
如果您没有公共 IP,访问互联网的唯一方法是通过 NAT 路由流量.
但是,VPC 公共 子网中流量的默认路由目标是 互联网网关 (IGW) 不是 NAT,并且因为 Lambda 函数只有一个私有 IP,所以从 Lambda 函数到互联网的所有数据包都将在 IGW 处被丢弃.>
如果您的 Lambda 函数实际上不需要访问 VPC 内的私有资源,那么您通常不需要将 Lambda 附加到 VPC.但如果确实需要,则将 Lambda 函数附加到私有子网,并确保从该子网到公有子网中的 NAT 实例或 NAT 网关的默认路由.并配置一个 IGW,没有它就无法访问互联网.
请注意,NAT 网关费用每小时和每 GB 处理量,因此值得了解如何降低NAT网关的数据传输成本.
注意:如果 Lambda 只需要访问 VPC 中的资源(例如私有子网中的 RDS 数据库)和/或所有通过私有 VPC Endpoint 那么您根本不需要通过 NAT 进行路由.
I've followed the tutorial here to create a VPC with public and private subnets.
Then I set up an AWS lambda function inside the public subnet to test if it could connect to the outside internet.
Here's my lambda function written in python3
import requests
def lambda_handler(event, context):
r = requests.get('http://www.google.com')
print(r)
The function above failed to fetch the content of http://www.google.com when I set it inside the public subnet in a VPC.
Here's the error message:
"errorMessage": "HTTPConnectionPool(host='www.google.com', port=80): Max retries exceeded with url: / (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 110] Connection timed out',))", "errorType": "ConnectionError",
I don't understand why.
The route table of the public subnet looks like this:
The GET request to http://www.google.com should match igw-XXXXXXXXX target. Why can't the internet-gateway(igw) deliver the request to http://www.google.com and get back the website content?
This article says that I must set the lambda function inside the private subnet in order to have internet access.
If your Lambda function needs to access private VPC resources (for example, an Amazon RDS DB instance or Amazon EC2 instance), you must associate the function with a VPC. If your function also requires internet access (for example, to reach a public AWS service endpoint), your function must use a NAT gateway or instance.
But it doesn't explain why I can't set the lambda function inside the public subnet.
The reason that your Lambda function cannot access the internet, even though the Lambda function is attached to a public subnet of your VPC, is that Lambda functions do not, and cannot, have public IP addresses. You cannot send traffic to the internet, which happens via the VPC's Internet Gateway, unless you have a public IP.
The only way to access the internet if you do not have a public IP is to route traffic through a NAT.
However, the default route target for traffic in a VPC public subnet is the Internet Gateway (IGW) not a NAT and, because the Lambda function only has a private IP, all packets to the internet from the Lambda function will be dropped at the IGW.
If your Lambda function doesn't actually need to reach private resources inside your VPC then you typically don't need to attach the Lambda to the VPC. But if it does need to, then attach the Lambda function to a private subnet and ensure a default route from that subnet to a NAT instance or NAT Gateway in a public subnet. And configure an IGW, without which internet access is not possible.
Be aware that NAT gateway charges per hour and per GB processed so it's worth understanding how to reduce data transfer costs for NAT gateway.
Note: if the Lambda only needs access to resources in the VPC (e.g. an RDS database in a private subnet) and/or to AWS services that are all available via private VPC Endpoint then you don't need to route through NAT at all.
这篇关于为什么 VPC 中公有子网内的 AWS lambda 函数无法连接到 Internet?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
