4

I am trying to access a kinesis stream outside a VPC from a lambda function inside a VPC. Currently when the code to write to the kinesis stream is executed it will hang and then timeout. When I take the lambda out of the VPC the code to write to the stream works fine. But I need to access a resource within the VPC and then write to the stream. Anyone know how to fix this?

Here is my function that is in the VPC 

functions:
  handleChanges:
    handler: functions/handlers.handleChanges
    timeout: 10
    package:
      include:
        - functions/utils/**
    events:
      - http:
          method: POST
          path: "/"
          integration: lambda
    vpc:
      securityGroupIds:
        - ${file(./private.yml):variables.securityGroup}
      subnetIds:
        - ${file(./private.yml):variables.subnetID}

Here is my policy

iamRoleStatements:
  - Effect: "Allow"
    Action:
      - "kinesis:PutRecord"
      - "kinesis:GetRecords"
      - "kinesis:GetShardIterator"
      - "kinesis:DescribeStream"
      - "kinesis:ListStreams"
    Resource:
      Fn::GetAtt:
        - KinesisStream
        - Arn
  - Effect: "Allow"
    Action:
      - "cognito-idp:AdminGetUser"
    Resource: "*"
  - Effect: "Allow"
    Action:
      - "logs:CreateLogGroup"
      - "logs:CreateLogStream"
      - "logs:PutLogEvents"
      - "ec2:CreateNetworkInterface"
      - "ec2:DescribeNetworkInterfaces"
      - "ec2:DeleteNetworkInterface"
    Resource: "*"

And finally here is my kinesis stream resource

KinesisStream:
  Type: AWS::Kinesis::Stream
  Properties:
    Name: ${self:provider.environment.STREAM_NAME}
    ShardCount: 1
pizzarob
  • 11,711
  • 6
  • 48
  • 69

2 Answers2

4

The only solution is to add a NAT Gateway (or NAT instance) to your VPC so that resources like your Lambda function that reside in your private subnet will have access to resources outside the VPC.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • 1
    Yeah thanks for your answer. I just got done creating a NAT Gateway and it seems to work now. I stumbled upon this gist explaining the process: https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7 – pizzarob Feb 24 '17 at 22:00
  • 1
    Do you know if there are any potential security hazards doing this ? – pizzarob Feb 24 '17 at 22:00
  • 4
    @realseanp VPC NAT Gateways only allow internally-initiated connections, not externally initiated connections, so your internal resources are not exposed using this setup. There is essentially no way to set up a NAT Gateway with an intrinsically unsafe configuration. – Michael - sqlbot Feb 25 '17 at 04:38
1

No need NAT, you can do it also with VPC endpoint: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html And that is how to do it to Kinesis: https://docs.aws.amazon.com/streams/latest/dev/vpc.html

Works for me :) and match cheaper. Make sure you set the correct security groups (sg of the private VPC and not the default VPC)

If you will read the NAT pricing documentation they are also recommending this: https://aws.amazon.com/vpc/pricing/ read the note at the end:

Note: To avoid the NAT Gateway Data Processing charge in this example, you could setup a Gateway Type VPC endpoint and route the traffic to/from S3 through the VPC endpoint instead of going through the NAT Gateway. There is no data processing or hourly charges for using Gateway Type VPC endpoints. For details on how to use VPC endpoints, please visit VPC Endpoints Documentation.
Brachi
  • 637
  • 9
  • 17