AWS Lambda Function in VPC With Internet Gateway Still Can't access Internet

3
votes

I have a lambda function that simply does an http.get to http://www.google.com. If I don't have the function behind a VPC, it works fine. The trouble happens when I put it in my VPC.

I know you need to set up an Internet Gateway. I did this. My two subnets are attached to route tables that route 0.0.0.0/0 to this Internet Gateway. Shouldn't that be all I need?

The function still hangs regardless of the Internet Gateway's association. The subnet's security groups allows All Traffic out of 0.0.0.0/0".

According to Grant Internet Access to a VPC Lambda Function that is everything I should need to do.

Edit:

Adding full list of VPC components to be clear.

  • Created a new VPC (vpc-09*)
  • Created a new subnet (subnet-05*) point to my new:
  • route table, (rtb-0b). I see subnet-05* under Subnet Associations. Under Routes, I see Destination 0.0.0.0/0 linked to the Target of
  • a new NAT Gateway (nat-08*). This NAT Gateway has an Elastic IP Address and a Private IP Address. It resides in the correct Subnet. The status is Available.
  • Additionally, I created a new Security Group for the Lambda function. This contains one Outbound Rules for "All traffic" with Destination 0.0.0.0/0

As far as I can tell, I've done absolutely everything in that AWS Documentation link to provide my Lambda with internet access. Yet, it still hangs forever when trying to make a request to the outside internet.

1
amazon-web-servicesaws-lambdaamazon-vpc
"It resides in the correct Subnet" Are you sure? The NAT Gateway goes in subnet X, with default route to the Internet Gateway. The Lambda function must then be associated with subnet Y, with default route to the NAT Gateway.Michael - sqlbot
Yes, you need both, because NAT Gateways have to be located on a public subnet. That's how they reach the Internet, via the Internet Gateway. NAT Gateways aren't located on the same subnet(s) that they serve.Michael - sqlbot
This might be useful: serverfault.com/a/854551/153161Michael - sqlbot
The Lambda function points to one or more subnets whose default route is the NAT Gateway. The NAT Gateway is on a different subnet, whose default route is the Internet Gateway.Michael - sqlbot
The second subnet for Lambda would need to be a second private subnet, so that would be 3 total. Unless your RDS instance is Multi-AZ, and you're designing for high availability, the warning can be disregarded.Michael - sqlbot

1 Answers

5
votes

You're almost there. The link that you've provided address your issue directly:

If your function also requires internet access (for example, to reach a public AWS service endpoint), your function must use a NAT gateway or instance

You're missing this:

Your VPC should contain a NAT gateway or instance in a public subnet.

This means that without a NAT, your Lambdas won't be able to access the internet - even though "they are" in a public subnet. This is how lambda fundamentally works in VPCs.

The exact same link that you provided instructs you on how to create this NAT Gateway alongside your VPCs and Lambdas.

Complementing the answer - on why you would need a NAT Gateway in this scenario - is due to:

... you can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances...

Extracted from aws docs

Keep in mind: If you need your lambdas to access only the internet - and not any other resource in the same VPC - I recommend to make them non-VPC and then they'll have internet access out of the box - and you won't pay for the cost of NATs.