4

I have a lambda function that simply does an http.get to http://www.google.com. If I don't have the function behind a VPC, it works fine. The trouble happens when I put it in my VPC.

I know you need to set up an Internet Gateway. I did this. My two subnets are attached to route tables that route 0.0.0.0/0 to this Internet Gateway. Shouldn't that be all I need?

The function still hangs regardless of the Internet Gateway's association. The subnet's security groups allows All Traffic out of 0.0.0.0/0".

According to Grant Internet Access to a VPC Lambda Function that is everything I should need to do.

Edit:

Adding full list of VPC components to be clear.

  • Created a new VPC (vpc-09*)
  • Created a new subnet (subnet-05*) point to my new:
  • route table, (rtb-0b). I see subnet-05* under Subnet Associations. Under Routes, I see Destination 0.0.0.0/0 linked to the Target of
  • a new NAT Gateway (nat-08*). This NAT Gateway has an Elastic IP Address and a Private IP Address. It resides in the correct Subnet. The status is Available.
  • Additionally, I created a new Security Group for the Lambda function. This contains one Outbound Rules for "All traffic" with Destination 0.0.0.0/0

As far as I can tell, I've done absolutely everything in that AWS Documentation link to provide my Lambda with internet access. Yet, it still hangs forever when trying to make a request to the outside internet.

Improve this question
7
  • "It resides in the correct Subnet" Are you sure? The NAT Gateway goes in subnet X, with default route to the Internet Gateway. The Lambda function must then be associated with subnet Y, with default route to the NAT Gateway. Commented Jun 14, 2019 at 0:27
  • Yes, you need both, because NAT Gateways have to be located on a public subnet. That's how they reach the Internet, via the Internet Gateway. NAT Gateways aren't located on the same subnet(s) that they serve. Commented Jun 14, 2019 at 0:35
  • This might be useful: serverfault.com/a/854551/153161 Commented Jun 14, 2019 at 0:36
  • 1
    The Lambda function points to one or more subnets whose default route is the NAT Gateway. The NAT Gateway is on a different subnet, whose default route is the Internet Gateway. Commented Jun 14, 2019 at 0:53
  • 1
    The second subnet for Lambda would need to be a second private subnet, so that would be 3 total. Unless your RDS instance is Multi-AZ, and you're designing for high availability, the warning can be disregarded. Commented Jun 14, 2019 at 1:08

1 Answer 1

Reset to default
7

You're almost there. The link that you've provided address your issue directly:

If your function also requires internet access (for example, to reach a public AWS service endpoint), your function must use a NAT gateway or instance

You're missing this:

Your VPC should contain a NAT gateway or instance in a public subnet.

This means that without a NAT, your Lambdas won't be able to access the internet - even though "they are" in a public subnet. This is how lambda fundamentally works in VPCs.

The exact same link that you provided instructs you on how to create this NAT Gateway alongside your VPCs and Lambdas.

Complementing the answer - on why you would need a NAT Gateway in this scenario - is due to:

... you can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances...

Extracted from aws docs

Keep in mind: If you need your lambdas to access only the internet - and not any other resource in the same VPC - I recommend to make them non-VPC and then they'll have internet access out of the box - and you won't pay for the cost of NATs.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

My lambda must access RDS and S3, so it must be in a VPC. I've stubbed out all that code and am only trying to get the http.get to work. I created a new VPC, a new subnet, a new NAT Gateway, linked them all, assigned it to the lambda function, and it still hangs.
I think you might be missing one step in this whole list of configuration and attachments - could you edit your question to explicitly share your setup? If you're using CloudFormation, it would be even better.
Edited my original post to contain all of the components of my setup. Not using CloudFormation for this, I think...
This is the correct answer. Adding a NAT Gateway didn't originally work because I didn't understand the concept of two separate subnets (one for private and one for public) where one routes traffic to a NAT Gateway, and the other routes traffic to an Internet Gateway. You need both, and you need the lambda function to point to the private one. If you only use one subnet, Lambda will whine about High Availability but I don't care about that so I'll just leave the warning.
Yeah, AWS defines that HA is necessary - but that should be only for production environments or products that you can stay cool with your services being down for a predetermined amount of time. Also, I've added more info on the NAT subject!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.