How do I troubleshoot internet access issues for an AWS Lambda function that's in an Amazon VPC using AWS Systems Manager?

Short description

Review the following resources to verify that they allow outbound internet access to your Lambda function:

• Subnet route tables
• Security groups rules
• Network access control list (network ACL) rules

If any of these resources don't grant internet access to your Lambda function, then reconfigure the resource to grant your function internet access.

To manually review these resources, follow the instructions in How do I give internet access to a Lambda function that's connected to an Amazon VPC? To automate the troubleshooting process, you can use the AWSSupport-TroubleshootLambdaInternetAccess AWS Systems Manager runbook.

Resolution

Note: The following troubleshooting procedure shows how to use the AWSSupport-TroubleshootLambdaInternetAccess runbook.

1.    Open the AWS Systems Manager console.

2.    In the left navigation pane, under Change Management, choose Automation.

3.    Choose Execute automation.

4.    On the Owned by Amazon tab, in the Automation document search box, enter AWSSupport-TroubleshootLambdaInternetAccess. Then, select the search icon or press Enter on your keyboard.

5.    Select the icon on the upper right of the AWSSupport-TroubleshootLambdaInternetAccess card. Make sure that you choose the icon on the upper right of the card, not the name of the automation.

6.    Choose Next.

7.    (Optional) In the Input parameters section, for AutomationAssumeRole, enter the Amazon Resource Name (ARN) of the role that allows Systems Manager Automation to perform actions. If an IAM role isn't specified, then Systems Manager Automation uses the permissions of the IAM user role that runs the document. For more information about creating the assume role for Systems Manager Automation, see Use IAM to configure roles for Automation.

Important: Either the AutomationAssumeRole or user role must have permissions for the following actions:
lambda:GetFunction
ec2:DescribeRouteTables
ec2:DescribeNatGateways
ec2:DescribeSecurityGroups
ec2:DescribeNetworkAcls

8.    For FunctionName, enter the name of the function that needs its connectivity validated.

9.    For destinationIp, enter the destination IP address where you want to initiate outbound internet access.

10.    For destinationPort, enter the destination port where you want to initiate outbound internet access.

11.    Choose Execute.

The runbook's output provides the status of each resource that might be causing the loss of internet connectivity for your Lambda function. The output also provides recommendations for how to resolve the issue as an "Analysis" message.

Note: For more information on AWS System Manager automation runbooks, see Creating your own runbooks.