By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda function can't connect to CodeCommit from a subnet

0

I made a lambda function to connect to a CodeCommit repository, select a branch and get a specific file. It works as expected.

Then I moved this function to a subnet (tried a public and a private one) and it is no longer able to connect to CodeCommit, am I missing something?

I need this lambda to be in a subnet to connect to a db, no need to have internet access as it should be triggered from S3.

Thanks M

Topics
Networking & Content DeliveryServerlessComputeDevOpsMicroservices
Tags
Amazon VPCAWS LambdaDevOpsMicroservices
Language
English
rePost-User-3116220
asked a year ago405 views
1 Answer
2

To connect to an AWS API you need to either have outbound (e.g. IGW or NAT GW) internet access to reach it or use a VPC Endpoint - https://docs.aws.amazon.com/codecommit/latest/userguide/codecommit-and-interface-VPC.html.

When you tried it in a public subnet, can your lambda function access other internet sites OK?

EXPERT
skinsman
answered a year ago
  • Uri EXPERT
    a year ago

    One correction, Lambda functions do not get a public IP address, as such, they can't connect tothe internet directly, even if attached to a public subnet.

    You should attach your function to a private subnet and use a VPC endpoint for CodeCommit.

  • skinsman EXPERT
    a year ago

    Thanks @Uri I forgot about that. NAT GW is still an option though. In theory you can connect directly from a public subnet by attaching an EIP to the Lambda's ENI but it's not recommended. Since the VPC Lambda networking improvements of 2019/20 the ENIs are long-lived but still:

    • could be deleted if unused for weeks
    • could be supplemented by additional ENIs if high concurrency.

    So this approach maybe could work if set up carefully but there are better options!

  • rePost-User-3116220
    a year ago

    As I said, my function can connect to CodeCommit if I leave Configuration -> VPC empty. I would expect it to do the same if I set a public subnet but this doesn't happen. To connect to CodeCommit I am using the aws-sdk, I am not calling any API endpoint directly.

    This function doesn't need to have access to the internet. I t needs to connect to CodeCommit, do some operations, and then connect to a DB.

    When Configuration -> VPC is empty, I can connect to CodeCommit but not to the DB.

    If I set Configuration -> VPC with a public or private subnet, I cannot connet to CodeCommit but I can connect to the DB.

  • skinsman EXPERT
    a year ago

    When using any AWS SDK you're using underlying AWS APIs, so unless you're using a VPC endpoint then you need internet access. When Configuration -> VPC is empty, your Lambda has internet access by default so can connect to CodeCommit. When Configuration -> VPC is not empty, your Lambda does not have internet access by default and needs to be given internet access or use a VPC endpoint to connect to CodeCommit as discussed.

  • rePost-User-3116220
    a year ago

    I created a VPC endpoint (interface) and I set-up the same private subnets where my lambda is. Also I tried both com.amazonaws.us-east-1.git-codecommit and com.amazonaws.us-east-1.codecommit but still experiencing timeout. Is there anything else I can double check?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content