0

I'm migrating from an architecture that I have a Lambda inside a Private Subnet, talking with a Public Subnet that has a NatGateway, triggered by an API Gateway WebSocket. And now I removed the Nat Gateway and inserted a VPC Endpoint with a VPC Link. That I found in the link: https://d1.awsstatic.com/whitepapers/private-api-best-practices.pdf

My VPC endpoint is currently with a policy all open, I didn't use the Enable Private DNS Name , because in my VPC there are another projects that talk with API Gateway.

My API Gateway triggered the Lambda, but could not respond to the return message. My lambda has a timeout.

In my older architecture, my return endpoint was https://{restapi-id}.execute-api.{region}.amazonaws.com/{stage}, and now when I try to respond, it doesn't work with that endpoint.

Do I have to change the Endpoint?

My Security Group and NACL are very open until I finish testing this connection. The VPC Link and the API Gateway Endpoint are configured with the Lambda Subnet and the Lambda Security Group.

Is something missing from VPC Link or VPC Endpoint?

Edit: I activated the log in the ApiGateway, and before the lambda logs it returns:

{
    "requestId": "em-5aGamaDDAdtd=",
    "ip": "",
    "caller": "-",
    "user": "-",
    "requestTime": "30/Apr/2021:17:57:42 +0000",
    "eventType": "MESSAGE",
    "routeKey": "lambda",
    "status": "504",
    "connectionId": "em-5abCDaaDBJtw="
}

And client receives the message:

{
message: "Endpoint request timed out", connectionId: "enBZ-dFG2oAFDA4a=",…}

connectionId: "em-5abCDaaDBJtw="
message: "Endpoint request timed out"
requestId: "em-5aGamaDDAdtd="
Nagaraj Tantri
  • 5,172
  • 12
  • 54
  • 78
Leonardo Campanha
  • 257
  • 4
  • 11
  • 2
    If your API gateway is able to reach the lambda function, then there is nothing to worry about. I guess your lambda is not returning within the defined timeout. There is a max limit of 29 seconds on API to get a response from Lambda to check this: https://stackoverflow.com/questions/54299958/how-can-i-set-the-aws-api-gateway-timeout-higher-than-30-seconds – Nagaraj Tantri Apr 30 '21 at 14:31
  • I increased the Lambda Timeout to 30 seconds but didn't work. 2021-04-30T14:47:34.987Z b6d3c353-fb01-4d7d-bc71-54f55af4a060 Task timed out after 30.03 seconds The response was: {message: "Endpoint request timed out", connectionId: "emi_0dj1oBSDIcg=",…} connectionId: "emi_0dj1oBSDIcg=" message: "Endpoint request timed out" requestId: "emjBAFACaAMFk7A=" – Leonardo Campanha Apr 30 '21 at 14:53
  • 1
    the max allowed timeout is 29 seconds. If it goes beyond that, it would timeout by default. You can test this by returning a custom message like "Hello-world" and commenting on all the other operations. – Nagaraj Tantri Apr 30 '21 at 15:04
  • Yeah, i did that, the last thing I do in the Lambda is send this message, but still returning timeout. The code does not pass that send message line. It is finding the endpoint but is like the connection is blocked. – Leonardo Campanha Apr 30 '21 at 17:36
  • Can you share your lambda function? I was referring to just do nothing, but return hello-world – Nagaraj Tantri May 01 '21 at 02:09

1 Answers1

1

I found my problem, my VPC Link was missing the connection with the API Gateway. In the AWS::ApiGatewayV2::Integration, I needed to insert the connection of the VPC Link.

Leonardo Campanha
  • 257
  • 4
  • 11