Why is my Lambda unable to access the internet?

1
votes

I have a Lambda function which can be triggered from an API gateway or ALB request. I also have an RDS Aurora PostgreSQL instance, both of which are running within a VPC.

I'm able to connect to the RDS instance from the Lambda just fine, however I can't access the internet, e.g. attempting to fire off a request to https://jsonplaceholder.typicode.com/todos/1 will cause a timeout.

I also can't connect to the remote database using a SQL client such as DBeaver.

Here's some detail below but let me know if you need anything else. I'm stumped.

Lambda Inbound Rules

Security group ID       Ports   Source
sg-0f2c4426c8fc85235    80      0.0.0.0/0
sg-0f2c4426c8fc85235    5432    0.0.0.0/0
sg-0f2c4426c8fc85235    All     sg-0f2c4426c8fc85235
sg-0f2c4426c8fc85235    22      0.0.0.0/0
sg-0f2c4426c8fc85235    443     0.0.0.0/0

Lambda Outbound Rules

Security group ID       Ports   Destination
sg-0f2c4426c8fc85235    All     0.0.0.0/0

RDS Connectivity

rds

VPC vpc

Public Subnet pubsub

Private Subnet prisub

EDITS

Nat Gateway (associated with public subnet) nat

Route Tables rtables

Route Table Routes rtablerouteA

rtablerouteB

rtablerouteC

EDIT 2

Lambda Subnets

lamsub

2
amazon-web-servicesaws-lambdaserverless-framework
can you also share the route table ?Rafaf Tahsin
I hope you made a common mistake here, you should create NAT Gateway in public subnet and update the private subnet's route table. Often people create NAT Gateway in private subnet, which is actually a dead lock. - docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.htmlRafaf Tahsin
@RafafTahsin - Sorry, my mistake, the NAT is in the public subnet. I've edited the original post to add images for NAT and route tables.Craig
Which subnet is the Lambda function attached to?John Rotenstein
@Craig The route table (rtb-0d15b06e1cff79515) associated with the private subnet doesn't have a route to NAT gateway. Also, the Lamba function should be in only the private subnet(s) if you want it to use the NAT gateway. Check out this link: docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.htmlabdullahkhawer

2 Answers

5
votes

The Lambda function should only be connected to a private subnet.

This enables Internet-bound traffic to be routed to the NAT Gateway in the public subnet.

If the Lambda function connects to the public subnet, it will be unable to reach the Internet.

0
votes

A mixture of two things I think. 1, as was pointed out, the Lambda should only be connected to private subnets.

I think I'd also mixed up the availability zones between the public and private subnets?

Anyway, the Lambda is now successfully connecting to RDS, hitting external APIs and I can also connect through DBeaver.

Thanks a lot.