AWS VPC with internet access sometimes timeouts with outside requests

1
votes

I've created a VPC (due to the RDS connectivity needs inside the lambdas) in AWS which has internet access most of the time, but some times my outside requests timeout (mostly these happen with SES as they're the majority of outside requests). I've configured my VPC the following way (sorry, not in the created order, just reading them off AWS):

  1. VPC with 172.30.0.0/16 CIDR
  2. 3 private subnets with 172.30.0.0/24, 172.30.1.0/24, 172.30.2.0/24 and a different availability zone for each (1a, 1b, 1c) with 0.0.0.0/0 route targeting my NAT
  3. 1 public subnet with 172.30.3.0/24 to 1a availability zone with a 0.0.0.0/0 route targeting my IGW
  4. 2 route tables (private and public) with the 3 private subnets in the private route table and the public one in it's own
  5. Security groups for lambdas directing all outbound traffic to 0.0.0.0/0
  6. Lambdas are configured to use these subnets and the given security group.

I'm not understanding why my internet requests some times fail from inside the VPC, it's almost as if the lambda gets started at some availability zone and that specific one does not have access to the internet inside the vpc.

EDIT: Resolved! I had the public subnet listed in my lambda function which caused the timeouts

1
amazon-web-servicesaws-lambdaamazon-vpc
Is your Lambda function configured to use multiple subnets? If so, are they a mix of public and private subnets? Is there a specific reason why you have configured the Lambda function to connect to the VPC (eg does it need to communicate with resources in the VPC)?John Rotenstein
Lambda in VPC does not have internet access. Are you sure you correctly set NAT and placed lambda in only private subnets with route tables to NAT?Marcin
@JohnRotenstein Lambdas are also connecting to RDS, that's why the need for VPC. And lambda's are configured to use multiple subnets (those 4 that I have listed naturally. Will add this to the original postinguser2735934
Lambda in public subnet, does not have internet connection. Only the two ones in private subnets will have internet connection. The one in public will not, which can explain why it sometimes fails.Marcin
Yeah that resolved it. Thank you so much for the help!user2735934

1 Answers

1
votes

AWS Lambda functions that are connected to a VPC should always be configured to use private subnets.

If those Lambda functions also require Internet access, they can use a NAT Gateway or NAT Instance to reach the Internet. These NAT services should be configured to use the public subnet(s).

When the Lambda function is connected to a private subnet, then traffic destined for the Internet will be routed from the private subnet, through the NAT Gateway/NAT Instance, and out to the Internet. This will not work if the Lambda function is connected to a public subnet. (And a Lambda function cannot connect directly from a VPC to the Internet.)