4

I have my MongoDB living on AWS EC2 and my Lambda function (python code) is trying to access it via IP address 23.23.23.23:27017. At our company we restrict our EC2 instances to our company's IP address by setting up AWS Security Groups on EC2 instance. The problem is without opening up access to port 27017 to all traffic on my EC2 instance security groups my lambda won't be able to access it because we don't know the IP address where the Lambda gets executed on.

Is there a better way to access ports on EC2 instances from AWS services such as Lambda without violating security policies?

Chenna V
  • 10,185
  • 11
  • 77
  • 104
  • At this point, there is no better way other than opening your instances to the world. I don't agree with the answer posted by @Rodrigo – helloV Jan 15 '16 at 18:33
  • @helloV I am able to run Lambdas within VPC as pointed by Mark in the last sentence – Chenna V Apr 11 '16 at 13:08

3 Answers3

4

Not sure why everybody is saying VPC endpoints will solve this. VPC endpoints allow communication originating within your VPC to access AWS services outside the VPC. The question being asked is regarding Lambda functions, which exist outside the VPC, accessing EC2 instances that exist within the VPC.

Support for running Lambda functions within the VPC is coming soon, as per this announcement. This will solve the issue this question addresses.

Mark B
  • 183,023
  • 24
  • 297
  • 295
3

Today on AWS you have limited options when you need to restrict in-bound IP access to your own instance from another AWS service. The nature of AWS network architecture is that the service could come from any IP address in the AWS IP Address Range

Other than opening up the instance to all traffic, you can consider three options:

  1. Open the instance to all traffic, but use iptables or Windows Firewall on the instance and restrict access to any IP in the AWS IP Address Range. That still allows millions of IPs to access that instance, but it is marginally more secure. Not ideal, to say the least.

  2. Build an internal API, perhaps using Simple Queuing Service, to interface with the services.

  3. Have the Lambda job determine its IP, and dynamically update the target instances' security group, then reset the security group when done. Not pretty, but it would work. Based on your company security policy, this may be the most viable option.

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
0

If you configure your lambda function to run on the same VPC and Subnets as your EC2 instance you are running Mongo DB on, you will be able to access the MongoDB from your lambda function.

One additional configuration is your security group in the lambda function has the right inbound and outbound setup done for the CIDR block in which your EC2 instance resides.

You do not need the specific ip address but the CIDR range to open the connectivity.

SheoSinha
  • 107
  • 4