AWS VPC Lambda Networking Issue

2
votes

So I have a very confusing issue that I don't know how to solve. My setup is API Gateway -> Lambda -> IoT Core. I setup the code and it works fine from my IDE. I deploy it to AWS, and my connection to AWS times out.

The Lambda is in a single subnet and the subnet does have a default route to an IGW. I did a test, and the Lambda function can resolve the IP of my IoT endpoint to a public IP (54.x.x.x). But the connect() method times out. My security group for the Lambda function is setup to allow all incoming / outgoing.

What am I missing? Why can't I get to IoT Core from inside a VPC with an IGW configured and seems to be working. Any direction would be greatly appreciated.

UPDATE

After playing around with many different things, I can't identify what exactly I had messed up with my configuration. But following the accepted answer I ended up with the following setup which appears to work for what I need.

  • subnet-1 10.14.10.0/24 (auto-assign-public=false)
    • local route ( 10.14.0.0/16 ) and default route=nat-gateway
  • subnet-2 10.14.20.0/24 (auto-assign-public=false)
    • local route ( 10.14.0.0/16 ) and default route=nat-gateway
  • subnet-3 10.14.30.0/24 (auto-assign-public=false)
    • local route ( 10.14.0.0/16 ) and default route=nat-gateway
  • subnet-4 10.14.40.0/24 (auto-assign-public=false)
    • local route ( 10.14.0.0/16 ) and default route=nat-gateway
  • subnet-5 10.14.200.0/24 (auto-assign-public=true)
    • local route ( 10.14.0.0/16 ) and default route=igw
  • nat-gateway
    • in subnet-5

I don't know if this is what I intended, but this is what I was looking for. A series of subnets that are not publicly accessible, but has an internet connection for access to other AWS services. So my Lambda resources, ECS, etc can sit privately and access what they need.

Thank you everyone for the information.

2
amazon-web-servicesaws-lambdaamazon-vpcaws-iot
Does all work when lambda is not in VPC? Does your lambda has correct execution role for VPC? - Marcin
Yes, API GW has multiple endpoints all of which work fine inside the VPC (accessing DynamoDB, elasticache, etc). I haven't specifically tried outside of VPC. I'll try that for a test. - cinnafire
@Marcin yes, it does work outside of the VPC. - cinnafire
Interesting. Do you have any NACLs on your subnet that can block connections. Also its your subnet private or public? - Marcin
The VPC and subnet are private. I am using the default NACL which has a single rule of allow all ( 100 / ALL Traffic / ALL / ALL / 0.0.0.0/0 / ALLOW ) for both inbound and outbound. I also have a NAT GW in this same subnet which I just noticed. I added that to fix something in the past but I don't remember why. - cinnafire

2 Answers

2
votes

You should not deploy the Lambda function to a public subnet (that's the subnet with the default route to the IGW). It won't work the way you want it to work. The Lambda function doesn't have, and cannot have, a public IP so cannot route to the internet via the IGW.

If the Lambda needs to be in VPC, then move it to a private subnet and make sure that the private subnet has a default route to a NAT (or NAT gateway) in a public subnet. Or deploy the Lambda function outside of VPC completely, if that's viable.

More information at:

0
votes

When you say "I did a test, and the Lambda function can resolve the IP of my IoT endpoint to a public IP (54.x.x.x)" Do you mean DNS resolution, or you've checked this with a actual network traffic.

In either case, you can turn VPC Flow Logs for your VPC, and try again. The flow log will identify whether SGs or NACLs are blocking your traffic.

Remember also that Lambda's cannot exists in a public subnet, they have to reside in private subnets, and use NAT GW on public subnets to connect to the internet.