Network requests from lambda inside VPC won't work for specific ips

0

Hello,

I have some lambdas running inside a vpc that are connecting to the internet when I set their security group egress rule to allow all outbound traffic but if I change that cidr rule to a specific ip (x.x.x.x/32) instead of all traffic (0.0.0.0/0) and try to make a request to the respective host my requests time out. They are accessing the internet through a nat gateway and public/private subnets. I've tried working the mask backwards all the way down to all traffic but only the all traffic cidr will allow me to successfully make requests.

Any ideas? Thanks

질문됨 일 년 전249회 조회
2개 답변
0

Hello.

Are the IP addresses allowed in the outbound rules of the security group correct?
We would also need to check the protocols that are allowed.

profile picture
전문가
답변함 일 년 전
  • Evidently not - I turned on flow logs and found the ips that were getting rejected and quickly added them to the outbound rules and that temporarily worked. After a few minutes my requests started to time out again and I'm not sure what caused it - also not sure where I should be finding the ips that were rejected. No host resolving tool returns them..

  • It may depend on what kind of service you are connecting to, but it may have multiple IP addresses.

  • Say I wanted to allow https requests to google.com?

  • If it's google.com it resolves to the multiple IPv4 and IPv6 addresses. You can't expect that it will be always some fixed group of addresses. Some SaaS provide network CIDRs, so you can use them to whitelist, but never heard that Google does it for their google.com site.

0

I would suggest enabling VPC flow logs and see what is being blocked when you use x.x.x.x/32 https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-cwl-create-flow-log

profile pictureAWS
Matt_E
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠