How do I give internet access to a Lambda function that's connected to Amazon VPC?
I want to grant internet access to my AWS Lambda function that has an Amazon Virtual Private Cloud (Amazon VPC) connection.
Short description
By default, Lambda functions run in a Lambda managed VPC that has internet access. To access resources in a VPC in your AWS account, add a VPC configuration to the function. This configuration restricts the function to resources within the VPC, unless the VPC has internet access.
Even when you associate a Lambda function with a public subnet, the function can't directly connect to the internet. A function in a VPC has a private IP address and requires a NAT gateway or NAT instance for the VPC to access the internet.
Note: You can use VPC endpoints to connect to supported AWS services from within an Amazon VPC connection without internet access.
Resolution
Create a public subnet and private subnet in Amazon VPC
Create a private subnet for your Lambda function and a public subnet for your NAT gateway. For the Name tag field, enter a name for each subnet that identifies it as either public or private. For example, use Public subnet, Private Lambda 1, and Private Lambda 2.
Note: It's a best practice to create more than one private subnet across different Availability Zones. This action creates redundancy and allows Lambda to maintain high availability for your function.
Use an internet gateway to add internet access to the subnet
Create an internet gateway, and then attach it to your VPC.
Create a NAT gateway
Create a NAT gateway. For Subnet, choose the subnet that you want to make public. For example, choose Public subnet.
(Optional) Test your NAT gateway setup.
Create two custom route tables
Note: When a Lambda function in a VPC makes requests, the function randomly selects an associated subnet. If the function uses a misconfigured subnet, then you receive an error. To avoid this issue, make sure to use the same configuration for all subnets that your function uses.
To set up your custom route tables, complete the following steps for both your public and private subnet:
- Create a custom route table. For the Name tag field, enter a name for each route table to help you identify the subnet that it's associated with. For example, use Public subnet and Private Lambda.
- Associate the subnet's route table with the private or public subnet.
- Add a new route to the route table, and include the following configurations:
For Destination, enter 0.0.0.0/0.
For Target, choose Internet gateway or NAT gateway. For the public subnet, select the ID of the internet gateway. For the private subnet, select the ID of the NAT gateway.
Important: If you use a NAT instance instead of a NAT gateway, then choose Network interface instead of NAT gateway. - Choose Save routes.
Note: Make sure that the routes to your NAT gateway are in the Active state. If the NAT gateway is deleted and you didn't update the routes, then the routes have a Blackhole status. For more information, see Delete a NAT gateway.
Review your network ACL configuration
The default network access control list (network ACL) in your VPC allows all inbound and outbound traffic. If you change the network ACL rules, then make sure that you allow outbound requests from your Lambda function. Also, make sure that your network ACL allows the following inbound traffic:
- For private subnets that use a NAT gateway, allow inbound traffic on ephemeral ports 1024-65535.
- For private subnets that use a NAT instance, allow inbound traffic on the ephemeral ports that your NAT instance operating system (OS) uses.
For more information, see Ensure internetwork traffic privacy in Amazon VPC.
Create a Lambda execution role
Create a Lambda execution role for your VPC. Then, update the Lambda function to use the new Lambda execution role.
Configure your Lambda function to connect to your VPC
Attach your function to your VPC, and configure the following settings:
- For Subnets, select the private subnets. Identify them by their subnet IDs and names.
- For Security groups, choose a security group.
Note: The default security group allows all outbound internet traffic and is sufficient for most use cases. For more information, see Control traffic to your AWS resources using security groups.
For Lambda functions with an Amazon VPC connection, you can use an egress-only internet gateway to access the internet. For more information, see IPv6 support.
Related information
Troubleshoot networking issues in Lambda
How do I troubleshoot timeout issues with a Lambda function that's in an Amazon VPC?
How do I troubleshoot an ETIMEDOUT error in my Lambda function?
Giving Lambda functions access to resources in an Amazon VPC
Is it possible to give our lambda functions in a private subnet access to internet via an ipv6 egress only internet gateway instead of a nat gateway?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
@pierre Yes! Just assign an IP to the Elastic Network Interface (ENI) created by Lambda.
This article leaves a lot to be desired, a lot of holes and research to be done if you don't already know what your doing.
See this answer on SO - https://stackoverflow.com/questions/37135725/aws-lambda-connecting-to-internet/55267891#55267891 - has step by step images and was easy to follow. Its based on this article but doesn't direct you to more documentation to figure out additional steps.
Followed the SO answer and resolved my issue of using RDS + SES and/or RDS + S3 within the same lambda function on a publicly accessible (ip limited) RDS instance.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked a year ago
- asked 6 years ago
- asked 3 years ago
- asked a year ago
AWS OFFICIALUpdated 4 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
