Lambda in private subnet cannot reach DynamoDB
Hi!
We are working on a POC related to hardening network security & resources.
We used as model the reference of Building Basic Web Application, link: https://aws.amazon.com/getting-started/hands-on/build-web-app-s3-lambda-api-gateway-dynamodb/, where a Lambda invoke from API Gateway post data in to a DynamoDB table.
Here are the changes made:
- The lambda was set to be inside the VPC and within a private subnet.
- A NAT Gateway was added for internet access and linked to the route table of the private subnet.
- A VPC Gateway endpoint was also added so the communication between the lambda and DynamoDB can be done thru the endpoint instead over routes. This endpoint has also been added to the route table of the private subnet.
If we take out the lambda out of the VPC and configure it as "NONE" in the VPC settings, it works fine, just as it suppose to work from the reference previously shared.
We created another lambda, using the "Hello World" template, we added it to the same VPC and it works fine. The problem here is wih the Lambda that post data in to a DynamoDB table.
Error message from Lambda: Task timed out.
It seems that the issue is between the communication from Lambda to DynamoDB, since the other Lambda works fine inside the VPC.
Any advice? Kinldy/please help!
Thank you!
- Newest
- Most votes
- Most comments
The VPC endpoint has an associated security group. The ENI for Lambda Function's VPC attachment also has a security group associated. Please ensure that the VPC endpoint's security group has an ingress rule allowing traffic from the Lambda Function's security group.
Please see here for more details on accessing services using a VPC endpoint.
I had this problem because I had set "EnableDnsSupport" to false in my CDK configuration. When I set it to true it was able to reach my table.
Check if DNS Resolution is enabled for your private VPC.
Relevant content
- asked a year ago
- How can I access an Amazon EMR cluster through an application if the cluster is in a private subnet?
AWS OFFICIALUpdated 3 years ago - AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Hi Aaron. Thanks a lot for your reply and information. Looking at the settings, we are unable to find the security group of the VPC endpoint since it is a Gateway endpoint to DynamoDB. looking at the documentation shared, security groups on VPC endpoints only are available for Interface endpoints. On the Gateway endpoint for DynamoDB we only have the option to modify the endpoint policy. On the other hand, the security group of the ENI now has the endpoint ID as part of the outbound rules using port 443 and for the destination the endpoint prefix (pl-xxxx). It is still not working.
Same here. I can confirm the above comment. There is NO security group setting for Dyanmodb VPC Endpoint as it is Gateway endpoint (not Interface endpoint). Help would be appreciated.
I agree with the above comments. Following the examples of creating a private subnet with a VPC endpoint for DynamoDb, attaching a Lambda function to the private subnet, and allowing access to the gateway using a security group with the prefix route for the DynamoDb gateway (pl-xxxx) does not seem to work.