1

I have a Lambda Function running in EU-WEST-2. The function is running in a VPC and it is attempting to access a MemoryDB cluster running in US-EAST-2. However, it fails to connect.

The Lambda Function is running in a subnet that can route from the VPC in EU-WEST-2 to the VPC in US-EAST-2 (using VPC peering).

I have run a VM in the same subnet in EU-WEST-2, installed Redis-CLI and it is able to connect.

Running the "Reachability Analyzer" from the Lambda Interface to the MemoryDB Interface, shows no issues.

Starting a MemoryDB Cluster in EU-WEST-2 allows the same Lambda function to connect.

Therefore, having checked all (or maybe not?) possible KNOWN scenarios, I'm starting to wonder if this scenario isn't allowed/blocked somehow?

Is this a valid/supported scenario?


const Redis = require('ioredis');

const redisClient = new Redis.Cluster([{host:process.env.redisClusterURI,port:6379}],{dnsLookup: (address, callback) => callback(null, address), redisOptions: {tls: true},slotsRefreshTimeout:5000,slotsRefreshInterval:300000});

redisClient.defineCommand("getSensitive", {numberOfKeys:1,lua:"local sum = 0; local matches = redis.call('KEYS', KEYS[1]); for _,key in ipairs(matches) do local val = redis.call('GET', key) sum = sum + tonumber(val) end;return tostring(sum);"});

const testRedis=async()=>{try{var t = await redisClient.ping();}catch(e){await log(e,true)};if(t=="PONG"){return true;}else{return false;};};

const log=async(o,e)=>{"1"===process.env.enableLogging&&(e?console.error(o):console.log(o))};

exports.streamhandler = async () => {

    var redisTestSuccess = await testRedis();
    
    if(redisTestSuccess){
        await log("Redis connected.");
        try{var sensitiveData = await redisClient.getSensitive("**sensitive**")}catch(e){await log(e,false)};
        //Do things with the response
    }else{
        await log("Redis not connected.");
    };
};
  • Does the security group on the MemoryDB cluster allow the entire CIDR block of the EU-WEST-2 VPC? – Mark B May 12 '23 at 17:29
  • Thanks for the response. Yes, it does, the entire EU-WEST-2 VPC is allowed into the SG on the MemoryDB Cluster. –  May 12 '23 at 17:32
  • You could also check the Network ACL rules on both VPCs, but if it works from an EC2 instance, then that shouldn't be an issue. You've done every debugging step I can think of. – Mark B May 12 '23 at 17:37
  • Thanks for the help. I've seen a few GitHub Issues where "same VPC" is underlined or in italics but I'm struggling to see how/why it would be blocked. –  May 12 '23 at 17:42
  • Interesting that [this doc](https://docs.aws.amazon.com/memorydb/latest/devguide/memorydb-vpc-accessing.html) indicates that "If the cluster and EC2 instance are in different VPCs but in the same region, you can use VPC peering. If the cluster and the EC2 instance are in different regions, you can create VPN connectivity between regions." Doesn't say that cross-region VPC peering won't work here, but leads the reader towards VPN. – jarmod May 12 '23 at 17:54
  • Thanks for the response. I'm reluctant to change our region-region networking setup just to test this. Over the weekend, we added logic to test the connection to the Redis Clusetr using PING-PONG and only proceed if the response is valid. This test succeeds but then running the LUA script responds with "ClusterAllFailedError: Failed to refresh slots cache.". I have added the code above. I'm still at a loss! –  May 15 '23 at 10:33
  • Solved it. Turns out it wasn't to do with Redis, the DynamoDb call later on was timing out. Adding the DynamoDb Endpoint to the VPC solved the timeout. Must add more logging from now on.... –  May 16 '23 at 10:21

0 Answers0