我正在尝试从 AWS Lambda 连接到互联网,我有一个带有 NAT 网关的私有子网,但该功能仍然无法连接到互联网...
完整问题所以我正在尝试使用我的 AWS Lambda 函数访问互联网.我尝试过 Java 和 NodeJS 4,但都没有成功.
我有一个带有子网的私有 VPC:10.0.10.0/24
如您所见,我已向 NAT 网关添加了一条规则:
我这样配置我的 AWS Lambda:
选择该子网 (10.0.10.0) 并使用对所有内容(入站和出站)开放的安全组
但是当我尝试从互联网下载某些东西时,lambda 超时了:
'use strict';console.log('加载函数');var http = require("http");export.handler = (事件、上下文、回调) =>{//console.log('Received event:', JSON.stringify(event, null, 2));console.log('value1 =', event.key1);console.log('value2 =', event.key2);console.log('value3 =', event.key3);变量选项 = {主持人:'www.virgilio.it',端口:80,小路: '/'};http.get(选项,功能(资源){console.log("得到响应:" + res.statusCode);}).on('错误', 函数(e) {console.log("出现错误:" + e.message);});回调(空,事件.key1);//回显第一个键值//callback('出了点问题');};{"errorMessage": "2016-05-10T10:11:46.936Z 79968883-1697-11e6-9e17-1f46a366f324 任务在 55.00 后超时秒"}
这是一个错误吗?
注意:如果我不选择我的 VPC,同样的功能会起作用
解决方案默认情况下,lambda 函数不绑定到 VPC,这使得它可以访问互联网,但阻止它访问 VPC 中的资源,例如RDS 实例.
如果您将 lambda 附加到 VPC,您将无法访问互联网,这会阻止您访问 S3 和 Dynamo 等资源以及发出 HTTP 请求.
如果两者都需要,那么我必须设置 VPC 以访问互联网,这是一团糟(嘿 AWS 伙计们,如果您有明确定义的流程,请简化:将其变成一个复选框或按钮;)
创建新的 VPC
我发现最好单独保留默认 VPC,这样您就不会冒险破坏该 VPC 中已经在运行的东西(以防您已经在那里拥有资源),而且因为您可以使用默认 VPC作为日后的配置参考.
使用向导创建 VPC.
创建路由表
创建子网
默认情况下,当您创建 VPC 时,它会为您创建一个公有子网.如果使用默认值,则其名称应为 Public subnet.就这样吧.
现在您要创建私有子网.如果您希望 Lambda 具有高可用性,建议为您的 Lambda 设置多个私有子网.
这些私有子网中的每一个都将链接到您刚刚创建的 VPC.现在,假设您将 VPC IP 保留为 10.0.0.0/16,并且您在弗吉尼亚 (us-east-1) 运行您的资源,这里是一个模板创建六个私有子网,每个子网都位于不同的可用区(用于高可用性):
但是你可以看到模式:- IP 块的第 3 位有 16 个增量;- 名称表示您所在地区所选的可用区.
确保路由表与子网关联
- 转到路由表"面板;
- 选择公共子网表,检查其关联并确保它与公共子网相关联;
- 选择 private-lambda 表,查看其关联并确保它与您刚刚创建的所有 private-lambda-* 子网相关联.
创建 Internet 网关
只需创建一个并将其附加到 VPC.
为公共子网配置路由
就我而言,它已配置,但只需确保您的公共子网的路由表具有从 0.0.0.0/0 到您刚刚创建的 Internet 网关的条目.
创建 NAT(网络地址转换器)
创建一个新的 NAT 并选择您的公共子网.分配一个新的 EIP.
为私有子网配置路由
确保您的私有子网的路由表具有从 0.0.0.0/0 到您的新 NAT 的条目.
通过这些步骤,您现在应该拥有一个支持 Internet 的 VPC.
用例:为 Internet 和 RDS 访问配置 Lambda为 lambda 创建安全组
- 新建一个 SG 并配置 Outbound -> All Trafic -> 到 0.0.0.0/0 和 ::/0
修改 RDS 实例的安全组以允许
- 入站 -> 所有流量 -> 来自 lambda SG
配置 lambda
- 创建一个新的 lambda 或选择一个现有的;
- 选择您的新 VPC;
- 选择您的所有私有子网 (private-lambda-*) 以实现高可用性;
- 选择您的 lambda 安全组.
就是这样.您现在应该拥有一个可以访问 VPC 和 Internet 资源的 lambda 函数:)
TL;TRI am trying to connect to internet from AWS Lambda, I have a private subnet with a NAT Gateway but still the function cannot connect to internet...
Full QuestionSo I am trying to access internet with my AWS Lambda function. I have tried both Java and NodeJS 4 with no luck.
I have a private VPC with a subnet: 10.0.10.0/24
As you can see I have added a rule to my NAT Gateway:
I configured my AWS Lambda like this:
Selecting that subnet (10.0.10.0) and with a security group that is open to everything (both inbound and outbound)
But yet when I try to download something from internet, the lambda times out:
'use strict'; console.log('Loading function'); var http = require("http"); exports.handler = (event, context, callback) => { //console.log('Received event:', JSON.stringify(event, null, 2)); console.log('value1 =', event.key1); console.log('value2 =', event.key2); console.log('value3 =', event.key3); var options = { host: 'www.virgilio.it', port: 80, path: '/' }; http.get(options, function(res) { console.log("Got response: " + res.statusCode); }).on('error', function(e) { console.log("Got error: " + e.message); }); callback(null, event.key1); // Echo back the first key value // callback('Something went wrong'); };
{ "errorMessage": "2016-05-10T10:11:46.936Z 79968883-1697-11e6-9e17-1f46a366f324 Task timed out after 55.00 seconds" }
Is this a bug?
Note: the same function works If I don't select my VPC
解决方案By default, a lambda function is not bounded to a VPC, which enables it to have internet access, but prevents it from accessing resources in a VPC, such as RDS instances.
If you attach the lambda to a VPC, you'll loose internet access, which prevents you from accessing resources such S3 and Dynamo, and from making HTTP requests.
If you need both, then I'll have to set up the VPC for internet access, which is a mess (hey AWS guys, if you have a well-defined process for it, please make it simple: turn it into a checkbox or button ;)
Create a new VPC
I find it's best to leave the default VPC alone, so you don't take the risk of breaking something that's already working in that VPC (in case you already have resources there), and also because you can use the default VPC as configuration reference in the future.
Use the wizard for creating the VPC.
Create the Route Tables
Create the subnets
By default, when you create a VPC, it will create a public subnet for you. If you used default values, its name should be Public subnet. Leave it at that.
Now you are going to create the private subnets. Is recommended to have several private subnets for your Lambda if you want it to have high availability.
Each of these private subnets will be linked to the VPC you just created. Now, supposing you left the VPC IP as 10.0.0.0/16, and that you run your resources in Virginia (us-east-1), here is a template for creating six private subnets, each in a different availability zone (for high availability):
But you can see the pattern: - There's a 16 increment in the 3rd position of the IP block; - The names indicate the selected availability zone in your region.
Ensure Route Table vs Subnet associations
- Go to the Route Tables panel;
- Select the public-subnet table, review its associations and make sure it's associated to the Public Subnet;
- Select the private-lambda table, review its associations and make sure It's associated to all the private-lambda-* subnets you just created.
Create an Internet Gateway
Just create one and attach it to the VPC.
Configure the routes for the Public Subnet
In my case it came configured, but just make sure that the Route Table for your Public Subnet has an entry from 0.0.0.0/0 to your just-created Internet Gateway.
Create a NAT (network address translator)
Create a new NAT and select your Public Subnet. Allocate a new EIP.
Configure the routes for the Private Subnets
Ensure that the Route Table for your Private Subnets has an entry from 0.0.0.0/0 to your new NAT.
And with these steps, you should now have an Internet-enabled VPC.
Use Case: configuring a Lambda for internet and RDS accessCreate a Security Group for the lambda
- New up a SG and configure Outbound -> All Trafic -> to 0.0.0.0/0 and ::/0
Modify the Security Group of your RDS instance to allow
- Inbound -> All trafic -> from the lambda SG
Configure the lambda
- Create a new lambda or select an existing one;
- Select your new VPC;
- Select all your private subnets (private-lambda-*) for high availability;
- Select your lambda Security Group.
And that's it. You should now have a lambda function that can access both VPC and Internet resources :)
更多推荐
AWS Lambda 连接到互联网
发布评论