How to configure internet access for a lambda function with a properly configured NAT Gateway?

0

Hello I am configuring internet access for a lambda that makes an http call to an API.

Below are the steps I followed:

  • I created a public subnet with a CIDR range of 10.0.128.0/20 with its route table containing a route to the internet gateway. NAT Gateway has been provisioned in this subnet.
  • I created a private subnet with a CIDR range of 10.0.64.0/20. Created a route table with destination: 0.0.0.0.0/0 and target: nat gateway and attached it to the subnet
  • To test the NAT gateway is working, I used the reacheability analyzer in AWS Network Manager and it is reacheable (source was a linux ec2 instance created in the private subnet above and target was the internet gateway).
  • I created a security group that allows all inbound and outbound IPv4 traffic.
  • In Lambda function VPC Configuration, only the private subnet and security group were added. Upon adding, lambda was tested to make an API call to https://api.github.com but the lambda fails to reach the API. Logging was added to log the status call.

Any assistance is highly appreciated

Function is a simple lambda function that use HTTP Client to make an http call

NAT Setup guide - https://repost.aws/knowledge-center/nat-gateway-vpc-private-subnet#

Lambda internet access - https://repost.aws/knowledge-center/internet-access-lambda-function

YouTube video - https://www.youtube.com/watch?v=Z3dMhPxbuG0

Kyanda
asked 10 months ago315 views
2 Answers
0
Accepted Answer

The above implementation has been re-reviewed and with logging in place and a test API call to a free API - https://jsonplaceholder.typicode.com/todos/1 I can confirm that the response status is 200 OK (Lambda is able to reach the internet). Another learning was since the NAT has a static public IP, this can be added in security groups whose resources you want the lambda function to access.

High level summary of what got the NAT working for me: NAT GW was created in the public subnet. Private subnet was attached to Lambda and has a route table linking to the NAT.
A security group allowing all outbound traffic on http and https port was attached to the lambda while adding the private subnet.

Kyanda
answered 10 months ago
0

Hi, from your description above I couldn't be sure which subnet your NAT GW is in. It's in the Public subnet, right?

Your setup sounds good. Are your NACLs open?

EXPERT
answered 10 months ago
  • Something still doesn't sound right there - your NAT GW needs a route to the Internet GW (if you're using it for internet traffic) so by definition is in a Public subnet if it's working.

  • Kindly note that the NAT Gateway was provisioned in the public subnet which has a route table with access to the internet gateway. Sorry about the earlier comment, I might have been rushing. On a high level summary: NAT GW was created in the public subnet. Private subnet was attached to Lambda and has a route table linking to the NAT.
    A security group allowing all outbound traffic on http and https port was attached to the lambda while adding the private subnet. This approach got the NAT working as expected

  • Hello Skinsman Thanks for the prompt response. The NAT is residing in the public subnet.

    But as per tests with a colleague today morning, we tested using this free API - https://jsonplaceholder.typicode.com/todos/1 and the response code logged was OK

    Seems all checks out.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions