How do I configure Lambda functions as targets for Application Load Balancers and troubleshoot related issues?

6 minute read

I need to configure AWS Lambda functions as targets for Application Load Balancers and know how to troubleshoot issues I might encounter.

Resolution

Elastic Load Balancing supports using Lambda functions as targets to process requests from Application Load Balancers. For more information, see Using AWS Lambda with an Application Load Balancer.

Step 1: Create a Lambda function

1. Open the Functions page of the Lambda console.

2. Choose Create function.

3. Choose Author from scratch.

4. Enter a Function name.

5. In the Runtime dropdown, choose Python 3.9 as the runtime for this scenario.

6. For Execution role, choose Create a new role with basic Lambda permissions.

Note: For more information about execution roles, see Lambda execution role.

7. Choose Create function.

8. After the function is created, choose the Code tab. In the Code source section, replace the existing function code with the following code:

import json

def lambda_handler(event, context):
  return {
    "statusCode": 200,
    "statusDescription": "200 OK",
    "headers": {
      "Content-Type": "text/html"
    },
    "isBase64Encoded": False,
    "body": "<h1>Hello from Lambda!</h1>"
  }

9. Choose Deploy.

Step 2: Create a target group for the Lambda function

Note: For more information, see Step 1: Configure a target group.

1. Open the Amazon EC2 console.

2. In the navigation pane, under Load Balancing, choose Target Groups.

3. Choose Create target group.

4. Under Basic configuration, for Choose a target type, choose Lambda function.

5. For Target group name, type a name for the target group.

6. (Optional) To turn on health checks, in the Health checks section, choose Enable.

7. (Optional) Add one or more tags as follows:

Expand the Tags section.
Choose Add tag.
Enter the tag key and the tag value.

8. Choose Next.

9. Choose a Lambda function as the target.
-or-
Choose Add a function later to specify a Lambda function later.

10. Choose Create target group.

Note: Load balancer permissions to invoke a Lambda function are granted differently depending on the method used to create a target group and register a function. For more information, see Permissions to invoke the Lambda function.

Step 3: Configure a load balancer and a listener

To configure a load balancer and a listener, follow the steps in Step 3: Configure a load balancer and a listener.

Step 4: Test the load balancer

To test the load balancer, follow the steps in Step 4: Test the load balancer. If the setup is working, the browser displays the message "Hello from Lambda!"

Note: If you haven't turned on health checks for your Lambda function, the health status is unavailable. You can test the load balancer without a health check as it doesn't affect the Lambda functions as targets for Application Load Balancers.

Limits of Lambda functions as targets

For more information about the limits of Lambda functions as targets, see Lambda functions as targets and review the information under Limits.

Lambda target groups are limited to a single Lambda function target. For more information, see Prepare the Lambda function.

Common errors of Lambda functions as targets

"The connection has timed out"

This error indicates that the security groups for your load balancer don't allow traffic on the listener port. To resolve this error, manage your security groups and make sure your security group's Inbound rules allow incoming traffic on listener ports. Outbound rules aren't required for security groups because security groups are stateful. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

"The target group could not be found"

This error indicates that the target group was deleted. To resolve this error, delete the resource policy with the deleted target group. Deleting the resource policy removes the trigger.

1. Open the Functions page of the Lambda console.

2. Choose the Lambda function related to the target group.

3. Choose the Configuration tab and then choose Permissions.

4. Scroll down to the Resource-based policy statements section and then select the policy that you want to remove.

5. Choose Delete and then choose Delete in the warning alert to confirm that you want to permanently delete the policy statement from the resource policy.

You can also use the following remove-permission AWS Command Line Interface (AWS CLI) command to remove the resource-based policy:

Note: In the following command, replace EXAMPLE_FUNCTION with your Lambda function name and EXAMPLE_ID with your statement ID.

aws lambda remove-permission --function-name EXAMPLE_FUNCTION --statement-id EXAMPLE_ID

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

"An error occurred (AccessDenied) when calling the RegisterTargets operation: elasticloadbalancing principal does not have permission to invoke arn <Lambda ARN> from target group <Target Group ARN>"

When a request to a Lambda function fails, the load balancer stores a reason code in the access log's error_reason field. The load balancer also increments the corresponding Amazon CloudWatch metric. For more information, see Error reason codes.

Register a Lambda function as a target using the AWS CLI. Use the add-permission AWS CLI command to grant Elastic Load Balancing permission to invoke your Lambda function.

Known errors of Lambda functions as targets

"New metrics related to this feature (LambdaUserError, LambdaInternalError, LambdaTargetProcessedBytes and StandardProcessedBytes) are not available in ELB console monitoring panel."

Access the new Lambda metrics from the Amazon CloudWatch console.

"The new ModifyTargetGroup API allows to configure 120 Seconds health check timeout value, but ELB console does not allow value higher than 60 seconds."

To configure a health check timeout greater than 60 seconds, call the ModifyTargetGroup API through the AWS CLI. You can configure the value to a maximum of 120 seconds.

Example modify-target-group command:

Note: In the following command, replace EXAMPLE_TARGET_GROUP_ARN with your target group ARN and EXAMPLE_REGION with your AWS Region code.

aws elbv2 modify-target-group \
--target-group-arn EXAMPLE_TARGET_GROUP_ARN \ 
--health-check-timeout-seconds 120 \
--region EXAMPLE_REGION

Related information

Lambda functions as targets

Lambda function versioning and aliases

Traffic shifting using aliases

Topics

Serverless Compute

Relevant content

Load Balancer Target Group
Arjun
asked 9 months ago
Load balancer returns HTTP 502 when targeting lambda
Hamid
asked a year ago
Application Load Balancer target limitations
Eran
asked 5 months ago
Can Private NAT Gateway be configured as a target for the Network Load Balancer?
Jorota
asked a year ago
Register Privatelink Endpoint IPs as Target for Network Load Balancer
Accepted Answer
rePost-User
asked 10 months ago
How can I troubleshoot Application Load Balancer session stickiness issues?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot 504 errors returned while using an Application Load Balancer?
AWS OFFICIALUpdated 2 years ago
How do I set up weighted target groups for my Application Load Balancer?
AWS OFFICIALUpdated a year ago
How can I use the AWS CLI to register a Lambda function as a target behind my Application Load Balancer?
AWS OFFICIALUpdated 2 years ago
Network Load Balancer (NLB) troubleshooting guide
EXPERT
Alok Srivastava
published 6 months ago