Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

What are the Inbound and Outbound Rules for connecting a Lambda (inside a VPC) to SQS ?

0

I am trying to connect my Lambda function. The lambda function will send a message to SQS. The Lambda is inside a VPC.

Now, I tried with only

  • Inbound Rule
  • Outbound Rule

at a time, and the task timed out, because the VPC needs to connect to SQS HTTPS link. So, based on my understanding , we need

  • an incoming rule for Lambda from the SQS - to get the message Id after successful
  • an outgoing rule for Lambda - to connect to the SQS

An Endpoint Interface is to make sure that any interaction to and from the Lambda does not go out of the VPC.

My question is :- What are the CIDR values for Inbound and Outbound Rules ? I am allowing all IPs in HTTPS Port 443. But, I want to know, if there would be any exact values for the CIDRs. The Interface for SQS is not being shown in the CIDR option list.

Argomenti
Networking e distribuzione di contenutiServerlessComputazionaliIntegrazione delle applicazioni
Tag
Amazon VPCAWS LambdaServizio Amazon Simple QueueNetworking e distribuzione di contenuti
Lingua
English
AB
posta 4 mesi fa306 visualizzazioni
1 Risposta
1

The CIDR Values are what ever subnet you have placed your VPC Endpoints in. So for the Lambda security group, you will 99% of the time need port 443 to the Subnet/IPs of the VPC Endpoints.

If your Lambda is VPC connected, you HAVE too use one of the following

  1. Use VPC Endpoints for ANY Services Lambda requires
  2. Lambda function needs to be in a Subnet with a route to a NAT Gateway to at which point its likely you will need 0.0.0.0/0 on port 443 for outbound.

No inbound rules will be needed on Lambda SG for SQS

profile picture
ESPERTO
Gary Mclean
con risposta 4 mesi fa
profile picture
ESPERTO
Kallu
verificato 4 mesi fa
  • AB
    4 mesi fa

    So, in that sense, why does not a Lambda function require any Inbound rule when connecting to S3 or Dynamodb ? Why does the Security group only needs an Outbound rule to the respective Endpoint (for S3 and DynamoDB)?

  • Gary Mclean ESPERTO
    4 mesi fa

    Because its a TCP Converstation and security groups are stateful. SQS or Dynamodb do not connect to Lambda directly. SQS events triggers a lambda function calling the Lambda APi and not connect to the lambda function

  • Gary Mclean ESPERTO
    4 mesi fa

    Same for s3. S3 events can trigger a lambda function via the api. If lambda needs to access S3 it’s an outbound connection and. The security groups state full.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente