AWS Lambda triggers SES in VPC
I have a lambda function sitting in a VPC, with the following in/out bound rules.
Inside the function, the goal is to trigger an email, so something like this:
const aws = require('aws-sdk');
const ses = new aws.SES({ region: 'us-west-2' });
ses.sendEmail(params, function (err, data) {
if (err) {
console.log(err);
}
});
However; when I trigger the function, there is no error printed, and the task timed out.
Originally the function was sitting out of VPC, and it can successfully send the email.
I've double checked this function's permission, which includes AWSLambdaVPCAccessExecutionRole.
Any one knows what's happening here?
the problem with this is that the lambda function's code has no path to reach the SES endpoint.
The easiest way to fix this is to give the function access to the Internet. Although you gave the Security Group permission to connect to the internet, cannot reach the SES endpoint because it has no public IP to send the requests from.
Putting Function behind NAT
The easiest way to fix this is to:
- put a NAT Gateway in the subnet(s) where the function is deployed to,
- in the route table of the subnet(s) append a rule to direct all traffic to
0.0.0.0/0to the NAT Gateway.
More info about NAT gateways
Keep in mind that this has the advantage to allow your function to access any internet resource and also the downside of routing the traffic though public Internet.
Creating an endpoint in your VPC
This solution, although cleaner and more modern, involves many steps and I suggest you to stick with the first solution.
A VPC endpoint is essentially a way to reach an AWS service (or a service from AWS's Marketplace) without letting your traffic to leave your VPC.
This works by assigning a private IP in your VPC to a "private link" to that service.
If you want to take this path, start reading from this page Interface VPC endpoints.
- AWS CLI Create Default VPC
- Email address is not verified (AWS SES)
- RDS Proxy: PENDING_PROXY_CAPACITY and "DBProxy Target unavailable due to an internal error"
- mTLS on AWS ALBs across multiple regions
- How to debug a aws lambda function?
- AWS SAM retrieve secret value from Secret Manager with dynamic referencing
- Cloudfront redirect when signed cookies not present
- Is there a wildcard character in AWS EventBridge rules?
- Laravel file upload s3 Multipart
- Increase EC2 disk storage without losing any data
- AWS Lambda triggers SES in VPC
- Setting HTTP Headers with Lambda@Edge
- How to find an Amazon EC2 AMI if I only have the id?
- AWS Lambda - Can't set memory larger than 3008 MB
- Which one is the cheapest to use AWS RDS or my own database?
- AWS Glue Please verify role's TrustPolicy
- How to create event bus events with source 'aws.'?
- Terraform and AWS: No Configuration Files Found Error
- How to transfer the packets through NAT gateway instead of public IP?
- Is Aws well architected framework supports API's?
- Can't delete AWS internet Gateway
- Unable to Trigger Lambda function in AWS using Python code from my local setup
- How to login with AWS CLI using credentials profiles
- How to retrieve multiple endpoints using data "aws_vpc_endpoint" resource?
- When pushing to ECS, Docker image errors out with module not found error
- Is there a way to drop file extensions when using AWS CLI with --recursive?
- On-demand self-hosted AWS EC2 runner for GitHub Actions
- How to manage dev and prod environments in a SAM project with CloudFormation Stacks, API Gateway, Lambda, and other AWS services?
- EC2 Instance error telling me multiple IAM Roles are attached when I try to change it...?
- (NoSuchVersion) when calling the GetObject operation: The specified version does not exist