Lambda function can't connect to CodeCommit from a subnet

I made a lambda function to connect to a CodeCommit repository, select a branch and get a specific file. It works as expected.

Then I moved this function to a subnet (tried a public and a private one) and it is no longer able to connect to CodeCommit, am I missing something?

I need this lambda to be in a subnet to connect to a db, no need to have internet access as it should be triggered from S3.

Thanks M

Themen

Vernetzung & Bereitstellung von Inhalten Serverlos Kalkulation DevOps Microservices

Tags

Amazon VPC AWS Lambda DevOps Microservices

Sprache

English

rePost-User-3116220

gefragt vor einem Jahr418 Aufrufe

1 Antwort

Neueste
Die meisten Stimmen
Die meisten Kommentare

To connect to an AWS API you need to either have outbound (e.g. IGW or NAT GW) internet access to reach it or use a VPC Endpoint - https://docs.aws.amazon.com/codecommit/latest/userguide/codecommit-and-interface-VPC.html.

When you tried it in a public subnet, can your lambda function access other internet sites OK?

EXPERTE

skinsman

beantwortet vor einem Jahr

Uri EXPERTE
vor einem Jahr
One correction, Lambda functions do not get a public IP address, as such, they can't connect tothe internet directly, even if attached to a public subnet.

You should attach your function to a private subnet and use a VPC endpoint for CodeCommit.
skinsman EXPERTE
vor einem Jahr
Thanks @Uri I forgot about that. NAT GW is still an option though. In theory you can connect directly from a public subnet by attaching an EIP to the Lambda's ENI but it's not recommended. Since the VPC Lambda networking improvements of 2019/20 the ENIs are long-lived but still:

could be deleted if unused for weeks

could be supplemented by additional ENIs if high concurrency.

So this approach maybe could work if set up carefully but there are better options!
rePost-User-3116220
vor einem Jahr
As I said, my function can connect to CodeCommit if I leave Configuration -> VPC empty. I would expect it to do the same if I set a public subnet but this doesn't happen. To connect to CodeCommit I am using the aws-sdk, I am not calling any API endpoint directly.

This function doesn't need to have access to the internet. I t needs to connect to CodeCommit, do some operations, and then connect to a DB.

When Configuration -> VPC is empty, I can connect to CodeCommit but not to the DB.

If I set Configuration -> VPC with a public or private subnet, I cannot connet to CodeCommit but I can connect to the DB.
skinsman EXPERTE
vor einem Jahr
When using any AWS SDK you're using underlying AWS APIs, so unless you're using a VPC endpoint then you need internet access. When Configuration -> VPC is empty, your Lambda has internet access by default so can connect to CodeCommit. When Configuration -> VPC is not empty, your Lambda does not have internet access by default and needs to be given internet access or use a VPC endpoint to connect to CodeCommit as discussed.
rePost-User-3116220
vor einem Jahr
I created a VPC endpoint (interface) and I set-up the same private subnets where my lambda is. Also I tried both com.amazonaws.us-east-1.git-codecommit and com.amazonaws.us-east-1.codecommit but still experiencing timeout. Is there anything else I can double check?

Relevanter Inhalt

Wie erstelle ich mithilfe von AWS CloudFormation ein AWS CodeCommit-Repository, das einen bestimmten Standard-Filialnamen verwendet?
AWS OFFICIALAktualisiert vor 3 Jahren
Wie behebe ich die Fehler „Invalid permissions on Lambda function“ (Ungültige Berechtigungen für die Lambda-Funktion) von API Gateway-REST-APIs?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie konfiguriere ich meine Site-to-Site-VPN-Verbindung so, dass Tunnel A gegenüber Tunnel B bevorzugt wird?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie kann ich die maximale E/A-Leistung aus meinen EBS-Datenträgern herausholen, die auf Nitro-basierten EC2-Instances gehostet werden?
AWS OFFICIALAktualisiert vor 7 Monaten