Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

How to configure internet access for a lambda function with a properly configured NAT Gateway?

0

Hello I am configuring internet access for a lambda that makes an http call to an API.

Below are the steps I followed:

  • I created a public subnet with a CIDR range of 10.0.128.0/20 with its route table containing a route to the internet gateway. NAT Gateway has been provisioned in this subnet.
  • I created a private subnet with a CIDR range of 10.0.64.0/20. Created a route table with destination: 0.0.0.0.0/0 and target: nat gateway and attached it to the subnet
  • To test the NAT gateway is working, I used the reacheability analyzer in AWS Network Manager and it is reacheable (source was a linux ec2 instance created in the private subnet above and target was the internet gateway).
  • I created a security group that allows all inbound and outbound IPv4 traffic.
  • In Lambda function VPC Configuration, only the private subnet and security group were added. Upon adding, lambda was tested to make an API call to https://api.github.com but the lambda fails to reach the API. Logging was added to log the status call.

Any assistance is highly appreciated

Function is a simple lambda function that use HTTP Client to make an http call

NAT Setup guide - https://repost.aws/knowledge-center/nat-gateway-vpc-private-subnet#

Lambda internet access - https://repost.aws/knowledge-center/internet-access-lambda-function

YouTube video - https://www.youtube.com/watch?v=Z3dMhPxbuG0

Argomenti
Networking e distribuzione di contenutiServerlessComputazionali.NET su AWS
Tag
Amazon VPCAWS Lambda.NET su AWS
Lingua
English
Kyanda
posta un anno fa398 visualizzazioni
2 Risposte
0
Risposta accettata

The above implementation has been re-reviewed and with logging in place and a test API call to a free API - https://jsonplaceholder.typicode.com/todos/1 I can confirm that the response status is 200 OK (Lambda is able to reach the internet). Another learning was since the NAT has a static public IP, this can be added in security groups whose resources you want the lambda function to access.

High level summary of what got the NAT working for me: NAT GW was created in the public subnet. Private subnet was attached to Lambda and has a route table linking to the NAT.
A security group allowing all outbound traffic on http and https port was attached to the lambda while adding the private subnet.

Kyanda
con risposta un anno fa
profile picture
ESPERTO
Giovanni Lauria
verificato 17 giorni fa
0

Hi, from your description above I couldn't be sure which subnet your NAT GW is in. It's in the Public subnet, right?

Your setup sounds good. Are your NACLs open?

ESPERTO
skinsman
con risposta un anno fa
  • skinsman ESPERTO
    un anno fa

    Something still doesn't sound right there - your NAT GW needs a route to the Internet GW (if you're using it for internet traffic) so by definition is in a Public subnet if it's working.

  • Kyanda
    un anno fa

    Kindly note that the NAT Gateway was provisioned in the public subnet which has a route table with access to the internet gateway. Sorry about the earlier comment, I might have been rushing. On a high level summary: NAT GW was created in the public subnet. Private subnet was attached to Lambda and has a route table linking to the NAT.
    A security group allowing all outbound traffic on http and https port was attached to the lambda while adding the private subnet. This approach got the NAT working as expected

  • Kyanda
    un anno fa

    Hello Skinsman Thanks for the prompt response. The NAT is residing in the public subnet.

    But as per tests with a colleague today morning, we tested using this free API - https://jsonplaceholder.typicode.com/todos/1 and the response code logged was OK

    Seems all checks out.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente