How to connect AWS Lambda function inside a VPC to public resources like DynamoDB?

2
votes

I am trying to enable my VPC lambda function for ElasticCache to access DynamoDB. I know for this, I need to setup a NAT gateway. However, I am not able to make it work. My private subnet is in 172.31.. range.

These are the steps I am following:

  1. Create a public subnet with ip range in 10.0.0.0.
  2. Create a public VPC in the same IP range mentioned above.
  3. Create a public Internet gateway in the public VPC.
  4. Create a public route table, which is not the main route table and attach the public subnet to it. Then, add a route for 0.0.0.0/0 to the public Internet gateway created above.
  5. Create a NAT gateway in the public subnet. This NAT gets an Elastic IP and a Private IP in 10...* range.

Now I have 3 route table, two for my public subnets(10.0.0.0) and one existing for my private subnet(172.31.0.0) which is part of my private VPC.

My private route table has a route for 0.0.0.0/0 to my private Internet gateway.

I think I need to change this route to point to my public NAT gateway, however I am unable to do so as the private IP of my NAT lies in 10.0.0.0 range I guess. I am confused at this point on how to proceed. I tried creating a NAT gateway in private subnet and forwarding the route to it but it doesn't work too. What as I missing out?

2
amazon-web-serviceslambdaroutingamazon-dynamodbamazon-vpc
Your private subnet's default route should point to the NAT Gateway ID, not the Internet Gateway.Michael - sqlbot
As i mentioned, my private subnet is not showing my NAT in the list of options to forward to.Adi
Just don't use ElastiCache alongside DynamoDB until Amazon releases a good solution for this as it's incredibly painful to configure it properly right now. We ended up using redislabs.com for our lambdas.Dušan Brejka

2 Answers

0
votes

Silly, but are you by any chance mixing up the default VPC (172.31...) and the VPC you created (10.0...) . So, if you are seeing the route table for the default VPC's one, it is actually for the default subnet(s), which is public by the way!

0
votes

The mistake i was making was creating two VPC, one for private subnet and one for public. AWS VPC cannot communicate with each other unless Peering is enabled.

The notion of private and public subnet is ambiguous at first for a person from networking background. All it actually means, is the logical subnet which will be have resources accessible from internet(like web servers) and local resources like database server(which should be protected from internet).