Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet?
I've followed the tutorial here to create a VPC with public and private subnets.
Then I set up an AWS lambda function inside the public subnet to test if it could connect to the outside internet.
Here's my lambda function written in python3
import requests
def lambda_handler(event, context):
r = requests.get('http://www.google.com')
print(r)
The function above failed to fetch the content of http://www.google.com when I set it inside the public subnet in a VPC.
Here's the error message:
"errorMessage": "HTTPConnectionPool(host='www.google.com', port=80): Max retries exceeded with url: / (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 110] Connection timed out',))", "errorType": "ConnectionError",
I don't understand why.
The route table of the public subnet looks like this:
The GET request to http://www.google.com should match igw-XXXXXXXXX target. Why can't the internet-gateway(igw) deliver the request to http://www.google.com and get back the website content?
This article says that I must set the lambda function inside the private subnet in order to have internet access.
If your Lambda function needs to access private VPC resources (for example, an Amazon RDS DB instance or Amazon EC2 instance), you must associate the function with a VPC. If your function also requires internet access (for example, to reach a public AWS service endpoint), your function must use a NAT gateway or instance.
But it doesn't explain why I can't set the lambda function inside the public subnet.
Lambda functions attached to a public subnet in your VPC cannot access the internet.
To access the internet from a public subnet you would need the requests to originate from a network interface that has an associated public IP or you would need to route the requests via a Network Address Translation (NAT) device that itself has a public IP. In both cases you would also need an Internet Gateway (IGW).
However:
- Lambda functions do not and cannot** have public IP addresses, and
- the default route target in a VPC public subnet is the IGW, not a NAT
So, because the Lambda function only has a private IP and its traffic is routed to the IGW rather than to a NAT, all packets to the internet from the Lambda function will be dropped at the IGW.
** there is an alleged workaround whereby an Elastic IP can be associated with the Lambda function's ENI. See this post for more details and, importantly, some potentially significant limitations.
Should I Configure my Lambda Function for VPC Access?
If your Lambda function does not need to reach private resources inside your VPC (e.g. an RDS database or Elasticsearch cluster) then do not attach the Lambda function to your VPC.
If your Lambda function does need to reach private resources inside your VPC, then attach the Lambda function to one or more private subnets (and only private subnets) of your VPC.
NAT or Not?
If the Lambda function only needs access to resources in the VPC (e.g. an RDS database in a private subnet) then you don't need to route through NAT.
If the Lambda function only needs access to resources in the VPC and access to AWS services that are all available via private VPC Endpoint then you don't need to route through NAT. Use VPC Endpoints.
If your Lambda function needs to reach endpoints on the internet then ensure a default route from the Lambda function's private subnet(s) to a NAT instance or NAT Gateway in a public subnet. And configure an IGW, of course, to enable internet access.
Be aware that NAT gateway charges per hour and per GB processed so it's worth understanding how to reduce data transfer costs for NAT gateway.
Best Practices
When configuring Lambda functions for VPC access, it is a High Availability (HA) best practice to configure multiple (private) subnets across different Availability Zones (AZs).
Intermittent Connectivity
Be sure that all the subnets you configure for your Lambda function are private subnets. It is a common mistake to configure, for example, 1 private subnet and 1 public subnet. This will result in your Lambda function working OK sometimes and failing at other times without any obvious cause.
For example, the Lambda function may succeed 5 times in a row, and then fail with a timeout (being unable to access some internet resource or AWS service). This happens because the first launch was in a private subnet, launches 2-5 reused the same Lambda function execution environment in the same private subnet (a so-called "warm start"), and then launch 6 was a "cold start" where the AWS Lambda service deployed the Lambda function in a public subnet where the Lambda function has no route to the internet.
- How can we enable Amazon S3 replication modification sync in terraform?
- Response from AWS SQS Java SDK does not match Python SDK or CLI
- Unable to Add Alias Record in Route 53 for AWS Cognito Custom Domain: CloudFront Alias Target Missing
- How to get the region of the current user from boto?
- Syntax error at or near ':'(line 1, pos 2) - PARSE_SYNTAX_ERROR - == SQL ==
- How get Environment Variables from lambda (nodejs aws-sdk)
- Return the expected status code in Postman
- Moving resources between CloudFormation stacks
- AWS ECS exec /usr/local/bin/docker-entrypoint.sh: exec format error
- Connection Reset during large file uploads to AWS s3 using Multer-s3
- Is RDS instance in 'pending reboot' status after parameter group change automatically rebooted?
- Elastic Beanstalk deleting generated files on config changes
- What does this mean? An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired
- Upload via presigned request - 403 forbidden for Unicode Filename
- Best practices for developing scalable video transcoding server on Amazon Web Services?
- Enable compression for AWS SQS Java API or how to tell if it's already on?
- Getting no basic auth credential from AWS ECR when pulling image
- How to load npm modules in AWS Lambda?
- Amazon EFS vs S3: Which is better for appending small chunks of data to large files?
- Is there a way to delay DynamoDB stream emissions while nearly parallel data is upserted to a record?
- Push docker image to amazon ecs repository
- AWS SSM Agent - Using the aws cli, is there a way to list all the AWS instances that are missing the SSM agent?
- CloudFormation is not authorized to perform: iam:PassRole on resource
- S3 - Access-Control-Allow-Origin Header
- How to run AWS codeartifact login and keep default registry
- aws s3api restore-object permission error
- AWS Glue Crawler issue with S3 export from RDS
- AWS Amplify Functions allow.resource() not working
- Is it possible to enrich a message on an sqs queue
- Does EKS Auto Mode use AWS Load Balancer Controller?