Network requests from lambda inside VPC won't work for specific ips

Hello,

I have some lambdas running inside a vpc that are connecting to the internet when I set their security group egress rule to allow all outbound traffic but if I change that cidr rule to a specific ip (x.x.x.x/32) instead of all traffic (0.0.0.0/0) and try to make a request to the respective host my requests time out. They are accessing the internet through a nat gateway and public/private subnets. I've tried working the mask backwards all the way down to all traffic but only the all traffic cidr will allow me to successfully make requests.

Any ideas? Thanks

Topics

Networking & Content Delivery

Tags

Amazon VPC Security Group

Language

English

user_randomnumbers

asked 8 months ago210 views

2 Answers

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hello.

Are the IP addresses allowed in the outbound rules of the security group correct?
We would also need to check the protocols that are allowed.

EXPERT

Riku_Kobayashi

answered 8 months ago

user_randomnumbers
8 months ago
Evidently not - I turned on flow logs and found the ips that were getting rejected and quickly added them to the outbound rules and that temporarily worked. After a few minutes my requests started to time out again and I'm not sure what caused it - also not sure where I should be finding the ips that were rejected. No host resolving tool returns them..
Riku_Kobayashi EXPERT
8 months ago
It may depend on what kind of service you are connecting to, but it may have multiple IP addresses.
user_randomnumbers
8 months ago
Say I wanted to allow https requests to google.com?
Dmytro Sirant EXPERT
8 months ago
If it's google.com it resolves to the multiple IPv4 and IPv6 addresses. You can't expect that it will be always some fixed group of addresses. Some SaaS provide network CIDRs, so you can use them to whitelist, but never heard that Google does it for their google.com site.

I would suggest enabling VPC flow logs and see what is being blocked when you use x.x.x.x/32 https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-cwl-create-flow-log

Matt_E

answered 8 months ago

user_randomnumbers
8 months ago
Very helpful! Thank you getting closer now

Relevant content

What are the benefits when I run a Glue job inside VPC?
Accepted Answer
Yen Trinh
asked 2 years ago
Access CloudDirectory from inside a VPC
idoorn
asked 5 years ago
What are the Inbound and Outbound Rules for connecting a Lambda (inside a VPC) to SQS ?
AB
asked 4 months ago
Lambda function inside VPC cannot use client.post_to_connection | It works outside the VPC
Accepted Answer
Joshua
asked 10 months ago
Why can't I delete a security group that's attached to my Amazon VPC?
AWS OFFICIALUpdated 7 months ago
How do I configure security groups and network ACLs when creating a VPC interface endpoint for endpoint services?
AWS OFFICIALUpdated 2 years ago
How can I troubleshoot the "You have exceeded the maximum limit for Lambda HyperPlane elastic network interfaces for your VPC" error when configuring a Lambda function in an Amazon VPC?
AWS OFFICIALUpdated a year ago
How do I give internet access to a Lambda function that's connected to an Amazon VPC?
AWS OFFICIALUpdated 3 days ago
Enabling Secure Connectivity between Overlapping On-Premise Networks and AWS VPC through Pilot VPC and Advanced Twice NAT Technology
EXPERT
Vinay Gugueoth
published 9 months ago
VPC IP Address Manager's 'Public IP Insights': A free and simple feature for customers to get insights on their public IPv4 usage
EXPERT
Nawaz
published 5 months ago