AWS lambda function can't reach the internet

Question

I am running a lambda function that I would like to access both a private database server and the internet. I can reach the database just fine, but I am not able to reach the internet.

The setup:

VPC (10.0.0.0/16)
   Public-Subnet (10.0.0.0/24)
      NAT-Security-Group (see security groups below)
         NAT-Server (AMI NAT instance)

   Private-Subnet-1 (10.0.1.0/24) & Private-Subnet-2 (10.0.2.0/24)
      DB-Security-Group (see security groups below)
         DB-Server (RDS PostgreSQL instance)

      Lambda-Security-Group (see security groups below)
         Lambda-Function

The security groups are:

NAT-Security-Group
   Inbound:
      HTTP & HTTPS from source: Lambda-Security-Group
      SSH from 0.0.0.0/0
   Outbound:
      All traffic

DB-Security-Group
   Inbound:
      PostgreSQL from source: Lambda-Security-Group
   Outbound:
      All traffic

Lambda-Security-Group
   Inbound:
      HTTP & HTTPS from source: NAT-Security-Group
   Outbound:
      All traffic

The routing tables for the subnets are:

Public-Subnet:
   10.0.0.0/16 local
   0.0.0.0/0 Internet-Gateway

Private-Subnet-1 & Private-Subnet-2
   10.0.0.0/16 local
   0.0.0.0/0 NAT-Server

I'm at a loss here. Why can't the lambda function reach the internet (connection timeout errors)?

Can you put an EC2 instance in the same subnet as your Lambda functions with the same security groups and reach the internet? — Matt Houser, Dec 11 '17 at 02:04
Not sure - I can't reach the EC2 instance with SSH even if I add an inbound SSH rule to the Lambda-Security-Group. — Jay, Dec 11 '17 at 02:19
The issue is with the security groups - If I set the rules to allow all traffic inbound/outbound everything works. — Jay, Dec 11 '17 at 03:05

score 3 · Answer 1 · answered Dec 11 '17 at 03:56

lambda in public subnet

Since you just need to communicate DB from lambda, place the lambda into public subnet and you don't need to have NAT gateway installed. Anyway there wont be a direct access to the lambda as ELB does and has to be attached to API gateway in case of any access through API endpoint.

lambda in private subnet

Add NAT route out into the route table associated with private subnet for all address 0.0.0.0/0
Add route out to IGW for all 0.0.0.0/0 into the route table associated with public subnet.
Place NAT in public subnet

This should solve the problem of accessing internet from lambda. But is only much useful in case you are going with the DB installed in EC2 for future patch mgmt or any kind of other access from bastion host. If going with RDS there is no point putting lambda in private subnet.

Is there a security risk with putting Lambda in a public subnet? This scenario isn't even discussed in the documentation and there are lots of "don't do this" comments in the forums. — Jay, Dec 11 '17 at 13:42
There is none such mentioned, but from the above I have mentioned just from access standpoint from API gateway, else need to invoke an API call. Nothing from security standpoint. — Kartik Narayana Maringanti, Dec 11 '17 at 15:22

score 2 · Answer 2 · answered Dec 11 '17 at 02:25

2

You need to create a NAT Gateway in a public subnet and route the egress traffic from the subnet where the Lambda is placed thorough the NAT Gateway.

To do this setup NAT Gateway as the Default Gateway in the routing table which is attached to the subnet that is Lambda placed on.

For more details refer Internet Access for Lambda Functions in documentation.

answered Dec 11 '17 at 02:25

Ashan

18,898
4
47
67

The NAT gateway is taken care of with the NAT instance - I'm using an instance to avoid the costs of a NAT gateway unless the traffic demands it. – Jay Dec 11 '17 at 02:31
NAT instance is fine. Still you are getting the error? – Ashan Dec 11 '17 at 02:33
Yes - no connectivity for the Lambda function. – Jay Dec 11 '17 at 02:37

score 1 · Accepted Answer · answered Dec 11 '17 at 13:48

The issue was with the inbound/outbound rules for the security groups. With the configuration above, I updated the security groups to match:

NAT-Security-Group
   Inbound:
      HTTP & HTTPS from source: Lambda-Security-Group
      SSH from source: 0.0.0.0/0
   Outbound:
      HTTP & HTTPS to destination: 0.0.0.0/0

DB-Security-Group
   Inbound:
      PostgreSQL from source: Lambda-Security-Group
   Outbound:
      None

Lambda-Security-Group
   Inbound:
      None
   Outbound:
      HTTP & HTTP to destination: NAT-Security-Group
      PostgreSQL to source: DB-Security-Group

The Lambda function now has internet connectivity.

AWS lambda function can't reach the internet

3 Answers3

lambda in public subnet

lambda in private subnet

Linked

Related