0

I am working on exposing a lambda to the public net with the lambda residing behind an already existing VPC (so I can later on limit the IP range of incoming requests using a security group).

To test that everything works, I set up a small lambda that simply prints hello world. I am running into a problem where the connection is extremely slow. The lambda executes in less than a milisecond, but each CURL to the endpoint run extremely slow.

Using curl for diagnostics I have found that:

curl -kso /dev/null my-alb-url -w "==============\n\n
| dnslookup: %{time_namelookup}\n
| connect: %{time_connect}\n
| appconnect: %{time_appconnect}\n
| pretransfer: %{time_pretransfer}\n
| starttransfer: %{time_starttransfer}\n
| total: %{time_total}\n
| size: %{size_download}\n
| HTTPCode=%{http_code}\n\n"
==============


| dnslookup: 0.061576

| connect: 75.256759

| appconnect: 0.000000

| pretransfer: 75.257615

| starttransfer: 75.794737

| total: 75.795154

| size: 28

| HTTPCode=200

The load balancer:

  1. is connected to two availability zones that are both public facing
  2. forward to a target group only containing my lambda
  3. is linked with a security group that has enabled all inbound and outbound traffic

To make things more confusing, this is not an issue on every request but it is seemingly random.

What would be the best way to debug this issue?

Marc
  • 626
  • 5
  • 15
  • 2
    I would start by checking the VPC flow logs to see if there are any dropped packets or network latency issues. VPC flow logs are not enabled by default. You'll need to enable them manually. –  Jan 30 '23 at 16:54
  • Did you create VPC connections for the Lambda in _both_ AZs? – Seth E Jan 30 '23 at 17:28
  • Not an answer to why this is slow, but as an alternative solution have you considered [Lambda URL](https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html)? – Seth E Jan 30 '23 at 17:30
  • 1
    @SethE I did look into Lambda URLs but AFAIK it's not possible to place it behind a VPC. I would like to set up Inbound rules so only a subset of known IPs can access the lambda. – Marc Jan 30 '23 at 17:50
  • You are going to a lot of trouble and expense if your requirement is to simply limit by IP address. You could use a Lambda URL to trigger the function. The `sourceIp` will be provided to the function and you could filter the IP address within your code. Even if this invokes additional Lambda functions, it will be lower-cost than running a Load Balancer. – John Rotenstein Jan 31 '23 at 01:46
  • @JohnRotenstein that is a potential solution but it wouldn't protect against a DDOS attack from someone getting a hold of it. – Marc Jan 31 '23 at 17:16

1 Answers1

0

I managed to resolve it but I am not entirely sure how.

I triple checked the subnet setup and just redid the setup again. 10 minutes later and now it works as intended. My suspicion is that one of the AZs linked to the wrong subnet.

Marc
  • 626
  • 5
  • 15