Elasticache in a different VPC and lambda needs to access it

1
votes

I have two VPCs in AWS. elasticache is in one of the VPC. I also have a lambda that needs to access the elasticache. I have attached the following policies to the lambda to access the elasticache.

  1. AWSLambdaVPCAccessExecutionRole (as per mentioned here: https://docs.aws.amazon.com/lambda/latest/dg/vpc-ec-create-iam-role.html)

  2. AmazonElastiCacheFullAccess

But I still cannot connect to the Elasticache endpoint from the lambda. It is throwing the following error:

Task timed out after 63.06 seconds

Essentially indicating it failed to connect. But any ec2 instance within the VPC can connect to the elasticache.

3
amazon-web-servicesredisaws-lambdaamazon-vpcamazon-elasticache
Did you launch your Lambda function into the same VPC as elasticache? The AWSLambdaVPCAccessExecutionRole allows the Lambda to create an ENI to communicate with other resources in your VPC, but you need to configure your Lambda function within the VPC as well: docs.aws.amazon.com/lambda/latest/dg/vpc.html Also, worth noting, if you need to access non-VPC resources you will need to setup a NAT gatewayabigperson
@abigperson no its in different VPC. and it needs to be that way. is it possible to access resource from another vpc ?sjishan
I've never set this up before but perhaps this will help: docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html it looks like it should be possible...abigperson
Did you ever got to fix your issue? I'm having the same problem :)Woootiness

3 Answers

1
votes

AWS Lambda uses elastic network interfaces (ENIs) that enable your function to connect securely to other resources. As you mentioned, lambda function is running in your VPC, not in AWS managed VPC, I recommend couple of below checks to perform which could cause connectivity issue between Lambda and ElastiCache (EC).

IAM Role: Make sure IAM role has required permission to access other VPCs resources.

Network: Verify that both VPC subnet network access control lists (ACLs) allow traffic on the port that you are connecting, and also for the Lambda security group.

0
votes

Your Lambda function has no route to access the Elasticache VPC. Assuming the VPC CIDRs do not overlap:

  1. If the VPCs are in the same region, you can create a VPC peering between the VPCs. The routing table entry to create a route between the VPCs will be automatically added when you create a peering connection. See: VPC Peering
  2. If the VPCs are in different regions, check Does AWS offer inter-region / cross region VPC Peering? and if peering is available, you can create a peering connection just like #1
  3. If the VPCs are in different regions, and peering connections is not supported, then you have to have a VPN in each VPC and route the traffic through the VPN.
0
votes

Let's say lambda-A needs access to the ElastiCache in a different VPC(VPC-B).

Options:

  1. You can create another lambda-B in your VPC-B, and let your lambda-A call lambda-B which then call ElastiCache.

  2. Create a NAT instance in the same VPC as your cache cluster but in a public subnet.

  3. Use VPC peering.

Ref: https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/accessing-elasticache.html