When my AWS Lambda function tries to reach downstream AWS services or external endpoints, I receive an ETIMEDOUT error.
Resolution
You receive the ETIMEDOUT error when the connection fails because the host didn't respond after a period of time. Network configuration issues can cause a non-valid network path between the Lambda function and the host. This non-valid path causes connection timeout errors. To troubleshoot an ETIMEDOUT error, verify your networking configuration based on your host configuration.
For a host that's accessible through the public internet
If you configured the function with Amazon Virtual Private Cloud (Amazon VPC), then make sure that the function has access to the public internet. If you receive intermittent timeout errors, then verify that all subnets configured for the function are private and have default routes to a NAT Gateway. For default routes to an AWS Transit Gateway transit gateway, verify that the transit gateway allows the function to access the public internet.
Note: By default, a function without VPC configurations has access to the public internet.
For a host that's accessible only within a VPC
If the host is accessible only within a VPC, first configure the Lambda function in the VPC, and then verify the following configurations:
- There's a valid route path to the host in the route table. If the host endpoint is in the same VPC as the Lambda function, then check that there's a local route. If the host endpoint is in a different VPC, then make sure that the route table has the route for the VPC peering connection.
- The subnet's network access control list (network ACL) rules in both the Lambda function and host allow inbound and outbound rules.
- The Lambda function's security group rules allow outbound traffic to the destination host on the required port.
- The host's security group rules allow inbound traffic from Lambda function on the required port.
- The host supports requests with the HTTP or HTTPS protocol and ports specified in the connection request.
To analyze network path configuration issues, use the VPC Reachability Analyzer.
If the timeout error occurs within the 350 second timeout for a NAT gateway, then reset the idle timeout time.
For a host that uses a VPC with a custom DHCP option set
If the VPC has a custom Dynamic Host Configuration Protocol (DHCP) option set, then use Amazon Route 53 Resolver Query Logs to view the DNS query response. The host's IP address must be able to connect to the port. Also, the host must use a private Amazon Elastic Compute Cloud (Amazon EC2) instance that's in the same subnet and security group as the function.
To identify the host's IP address, use the EC2 instance to run the following command:
nslookup amazon.com
Note: Replace amazon.com with your host name.
To verify that the IP address can connect to the requested port, run the following command:
telnet host-name-IP-address 443
Note: Replace host-name-IP-address with your host name or with your IP address and 443 with your port.
For troubleshooting information, see How do I troubleshoot consistent and intermittent DNS-related errors in AWS Lambda?
Verify your host configurations
Verify whether the downstream service or the external endpoint is receiving the request. Use the host's available metrics, logs, or network traces. If you use a VPC, then use VPC Flow Logs to verify that the outbound traffic is leaving the Lambda function. If you use an elastic network interface, then to find its IP address, use the Lambda ENI Finder on the GitHub website. For more information about how to use the Lambda ENI finder bash script, see Why can't I detach or delete an elastic network interface that Lambda created?
If high incoming traffic blocks the host so that it can't respond within the configured socket timeout, then use the retry with back-off pattern.