- Newest
- Most votes
- Most comments
Hello.
When you connect Lambda to a VPC, you will need to communicate via the VPC to connect to the public endpoint from Lambda.
In other words, a NAT Gateway is required to communicate from Lambda connected to a VPC to a public endpoint.
https://repost.aws/knowledge-center/internet-access-lambda-function
Internet access from a private subnet requires network address translation (NAT). To give internet access to an Amazon VPC-connected Lambda function, route its outbound traffic to a NAT gateway or NAT instance in a public subnet.
If you only want to access Systems Manager Parameter Store, you can access it from Lambda by creating a Systems Manager VPC endpoint in your VPC.
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html
How are you supposed to troubleshoot these timeout issues? I just happened to stumble upon the VPC issue after random internet searches.
No one can judge this unless you yourself know what route Lambda is communicating through.
Is the Parameter Store an internet-only facing service? Why isn't it accessible by default to my other AWS services?
AWS services basically communicate using public endpoints.
Therefore, if you do not have a public IP address, you will not be able to access it and will receive an error.
If you want to achieve private communication, you need to use VPC endpoints.
My Lambda also needs to connect to an external URL, which is failing and I'm guessing this VPC issue us also the cause?
Yes, if Lambda is connected to a VPC, a NAT Gateway is required to access public URLs from Lambda.
Relevant content
- asked 6 years ago
- asked 8 days ago
- Accepted Answerasked 8 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Thanks for the quick reply.
I have tried adding the VPC endpoint to the Parameter Store service but my Lambda function still times out. I've looked in the CloudWatch logs but it just says "Timeout"
For the NAT Gateway, will I need additional IP's to use this? I would like to not incur the costs of additional IPs if possible.
Check the VPC endpoint security group and Lambda security group. If you have successfully created the VPC endpoint, the VPC endpoint's security group may not allow HTTPS communication from Lambda.
Yes, using NAT Gateway for public communication requires a fee as it uses a public IPv4 address.
IPv6 can be used with Lambda, so if the public URL supports IPv6, it can also be used. https://aws.amazon.com/about-aws/whats-new/2023/10/aws-lambda-ipv6-outbound-connections-vpc/?nc1=h_ls
I was able to get the VPC endpoint working... It just took a while even after it said it was available and now can access the Parameter Store. Although every 4-5 requests I get a 503 service unavailable and my CloudWatch logs show timeouts.
Do you have directions on how to configure using ipv6 for the NAT gateway? Also, how would I restrict access to only a certain url?
Since I don't know your Lambda network configuration or VPC configuration, it is difficult for me to troubleshoot further. I think that the possible cause is that the network ACL of the subnet or the settings around the subnet that are linked to Lambda are suspicious.
When using IPv6, you need to create an Egress-Only Internet Gateway instead of a NAT Gateway. You must enable IPv6 in your VPC using the steps in the documentation below. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html I think you can just specify the URL to access with Lambda.