Allowing Internet egress access for EMR Serverless application using Lambda/Boto3 instead of CDK

0

My ultimate goal is to have my EMR Serverless application Internet egress access to invoke a specific third party API/REST call. Unfortunately, the EMR Serverless application must then be put into a VPC configured with a NAT Gateway and subnets to allow for such egress access.

I can configure the networking resources to work using CDK - I have validated this to work. However, this would then instantiate a NAT Gateway which has per hour usage costs. My EMR Serverless application runs only a few times a day and for short periods, so I only need the NAT Gateway to be up when the EMR Serverless job is running.

I believe the only way to accomplish this is by adding a Lambda that configures the networking resources before my EMR Serverless job runs in my AWS step function, then decommissions these resources after the EMR Serverless job finishes. Unfortunately, I cannot get the accompanying boto3 code to work.

My boto3 code is below. I get the error:

Unable to push logs, please ensure logging destination is valid and execution role has sufficient permissions. Error: "Connect timeout on endpoint URL: "https://myapplication-logs-useast2-<myaccount>-test.s3.us-east-2.amazonaws.com/MyApplicationNestedStackc-*/applications/<application-id>/jobs/<job_id>

When running my EMR Serverless job. I'm fairly sure my IAM permissions are correct as it works for my CDK (using the same IAM role I'm doing now in my Lambda, CloudTrail doesn't show any errors. That's why I'm guessing the issue is Internet egress access is not happening.

My Lambda code is here. What's wrong with my Lambda code? Am I missing something or misconfigured something that is preventing Internet egress access from my EMR Serverless application/job?

  • Please post your Lambda code - it's missing.

  • I've added my Lambda code link.

  • Could you paste the code as text instead of sharing it as a URL? A 403 error occurs and the URL cannot be accessed.

  • Unfortunately, it's 300 lines of code so it doesn't fit into the original post. I don't see an option that allows me to attach the code file either.

  • Also, I tried the link from an incognito browser window and it should work. Here's a different link of the same code: here

1 Answer
1
Accepted Answer

It looks like you're setting up only one route table - the one for your private subnet to route traffic to the NAT GW. You need another route table for the public subnet to route traffic to the IGW, or your NAT GW has no connection to the internet.

EXPERT
answered 3 months ago
profile picture
EXPERT
Kallu
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions