0
votes

I am trying to set up a basic .NET Core 2.1 Lambda function that can access private VPC web APIs as well as public Internet web APIs. However, as soon as the function is associated with a VPC, it can no longer access the public Internet.

I tried the following (based on this YouTube tutorial):

  • Created a new private subnet with CIDR block 172.18.10.0/24 .
  • Created a new NAT gateway and associated with a public subnet that is already included in a route table with an Internet gateway at 0.0.0.0/0 and created a new EIP for the NAT gateway.
  • Created a new route table, added Destination 0.0.0.0/0 to the NAT gateway and associated the route table with the newly created private subnet.

In the Lambda function:

  • Added function to the VPC.
  • Added function to the newly created private subnet.
  • Added security group with the following: Inbound Port 0 - 65535, Outbound Ports All Destination 0.0.0.0/0 .

Here is the Lambda function I am testing:

using System.Net.Http;
using System.Net;
using System;

using Amazon.Lambda.Core;
using Amazon.Lambda.SQSEvents;

// Assembly attribute to enable the Lambda function's JSON input to be converted into a .NET class.
[assembly: LambdaSerializer(typeof(Amazon.Lambda.Serialization.Json.JsonSerializer))]

namespace MyFunction
{
    public class Function
    {
        public void FunctionHandler(SQSEvent sqsEvent, ILambdaContext context)
        {
            using (HttpClient client = new HttpClient())
            {
                Console.WriteLine($"Sending HTTP request.");
                HttpResponseMessage response = client.GetAsync($"http://dummy.restapiexample.com/api/v1/employee/18677").Result;
                Console.WriteLine($"Response received.");
                var content = response.Content.ReadAsStringAsync().Result;
                Console.WriteLine($"Response content: {content}");
            }
        }
    }
}

When triggering this function, the output is the following:

Sending HTTP request.
One or more errors occurred. (Resource temporarily unavailable): AggregateException 
  at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification) 
  at MyFunction.Function.FunctionHandler(SQSEvent sqsEvent, ILambdaContext context) 
  in C:\__temp__\basic_lambda_func\Function.cs:line 20 at System.

When the Lambda function is not on the VPC it works fine. Any ideas what might be causing the issues on the VPC?

3

3 Answers

0
votes

Double check route table towards Internet Gateway. IGW is responsible for outbound connections to Internet.

How can I grant internet access to my VPC Lambda function?

0
votes

For me, more often than not, VPC issues are related to something I missed or overlooked. That is why I created the following image :

enter image description here

Double and triple check the following:

  1. The lambda subnets (the ones that will be used for the lambda functions) are associated with a "private" routing table
  2. The private routing table should have a destination to a NAT Gateway (I assume a NAT Instance will work for this scenario, but I have never tried it)
  3. The NAT must be in a public subnet
  4. The public subnet must be associated with a "public" routing table
  5. The public routing table should have a destination to an Internet Gateway

If you are able to invoke the function, but it stalls when making network calls, this is usually a problem with the security groups (source and/or destination) or a missing endpoint (when using AWS services if you are not using a NAT Gateway).

While this is surely not an answer to your question, I hope it helps you troubleshoot what is going on.

0
votes

This ended up being a DNS issue. There was some DNS configuration in the VPC that I was unaware of originally. Turns out the Lambda function had to include another security group so that DNS would resolve properly. Thank you to the other responses for the debugging advice.