How lambda connects to s3 inside vpc

0
votes

I can't distinguish between privite subnet and public subnet.

I created a vpc and connected the subnet, and igw was also connected to the route tables. So, isn't the network a public subnet?

As I expected, the public network seems to have to communicate with the outside, but there is no communication at all.

Connection from aws lambda to RDS is possible (vpc), but timeout occurs for both uploading files to s3 and sending messages to slack.

I have seen a lot of posts about using vpc endpoints, but when I try to set it up

Warning
When you use an endpoint, the source IP addresses from your instances in your affected subnets for accessing the AWS service in the same region will be private IP addresses, not public IP addresses. Existing connections from your affected subnets to the AWS service that use public IP addresses may be dropped. Ensure that you do nā€™t have critical tasks running when you create or modify an endpoint.

So isn't ec2 currently disconnected from s3? Then, there is a problem with the service and it cannot be set.

In the lambda vpc configuration, even if all inbounds of the security group are opened, the connection is not established.

Is there only a way to set up NAT?

NAT wants to avoid it because of its cost.

my goal is to communicate with rds, s3, slack in lambda on vpc.

1
amazon-web-servicesamazon-s3aws-lambdaamazon-rdsamazon-vpc
Your lambda is in private or public subnet? ā€“ Marcin
@Marcin My lambda is set to vpc. In my expectation, it should be a public subnet, but it is probably not a public subnet, so I can't communicate with the outside. ā€“ kang

1 Answers

2
votes

A public subnet in AWS is a subnet whose route table has a default route to an Internet Gateway (IGW).

An IGW does not perform NAT so if your compute (EC2 instance or Lambda function or other) routes traffic to the IGW then that traffic will reach the internet if the compute instance sending it has a public IP and that traffic will be dropped if the compute instance sending it does not have a public IP.

How do Lambda functions that you deploy into your VPC reach the internet (for example, to talk to Slack or S3)? They have to route through a NAT. Typically, you deploy them into a private subnet and that subnet's route table has a default route to a NAT device or NAT gateway in a public subnet.

Why can't a Lambda function deployed into a public subnet reach the internet? Because the public subnet's default route is the IGW, the Lambda function does not have a public IP, and the IGW drops all traffic from private IPs. The IGW is not a NAT.

How can a Lambda function reach S3 without also allowing it to reach the internet? You deploy the Lambda function into a VPC private subnet, you do not provide a default route from that subnet to a NAT, and you configure an S3 VPC endpoint in the VPC. Now the Lambda can reach S3 privately.

How can a Lambda function reach an RDS database, which itself is in a private subnet? You deploy the Lambda function into a private subnet, you configure the Lambda with a Security Group, and you configure the RDS instance security group to allow inbound traffic from the Lambda security group.

How do Lambda functions that are not deployed into VPC reach the internet? Lambda functions do not, and cannot, have public IPs so they must route through a NAT somehow. But you didn't deploy a VPC never mind a NAT so how does it work? The Lambda function has a network interface (an ENI) that is actually deployed into a VPC, but it's not your VPC. It's an AWS-managed VPC and it has a NAT Gateway.

OK, back to your situation. You want your Lambda function to reach Slack (over the internet), S3 (any way possible), and RDS (which is in your VPC's private subnet). That's a challenging combination because, while we could reach both RDS and S3 privately (via intrinsic VPC routing to RDS and by VPC endpoint to S3), we can't reach Slack that way. Or we could reach both S3 and Slack if we deployed outside of VPC (via a NAT in the AWS-managed VPC) but then we could not access private RDS.

So, I think you need to deploy the Lambda into a private subnet, that subnet needs a default route to a NAT Gateway in a public subnet, you need an IGW, and you need to correctly configure security groups on your Lambda function and RDS instance to allow inbound access from the Lambda to RDS. S3 traffic will route publicly. Or you could add an S3 VPC endpoint, if you need to keep the S3 traffic private.

More helpful useful info here:

PS if there's any chance that you have messed up your VPC, while modifying route tables or other means, then I suggest deleting that VPC and using the AWS console VPC wizard to create a new one.