Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS lambda connect to internal ELB with private Hostzone DNS

I want to set up an EC2 instance running on a private VPC. It can connect to the Internet from the private VPC but can not access from outside. And there is a lambda function to trigger the EC2 to initiate some interactions with external resources (S3, Dynamo, Internet).

I have set up a VPC as following:

  1. An EC2 instance running docker in a private VPC subnet
  2. An ALB(application load-balancer) configured as internal and in private subnets (same as the EC2 subnet)
  3. A NAT Gateway which is working
  4. A lambda function which will do HTTPs GET and POST to the Internet and ALB
  5. Route53 private Hostzone has a record set that route "abcd.internal/api" to the ALB.

Here is the problem. The lambda function can connect to the Internet with HTTPs, but when it fails to HTTPs GET to the ALB with the private Hostzone record("abcd.internal").

My understanding is my ALB, EC2, lambda, NAT Gateway and Route53 are configured in the same VPC, they should be able to talk to each other with the private DNS name. I don't know why it fails.

Note: Before setting up a internal ALB, I did try setting up a internet-facing ALB in a public subnet, then configure a public Hostzone record set "abcd.public" to this ALB. It can talk to the EC2 instance and the EC2 instance can interact with the Internet through the NAT Gateway. So the "EC2 to Internet" part is working.

Update: I finally dig some error messages in lambda log as follows:

Error: Hostname/IP doesn't match certificate's altnames: "Host: abcd.internal. is not in the cert's altnames: DNS:.public"] reason: 'Host: abcd.internal. is not in the cert\'s altnames: DNS:.public', host: 'abcd.internal.',

That is interesting. I do have a public hostzone co-exist with the private hostzone, but the public hostzone is for other purpose. I dont know why the lambda function use the public DNS rather than the private DNS since it was configured inside a private subnet.

like image 838
flyblade Avatar asked Nov 30 '17 18:11

flyblade


People also ask

Can Lambda access private subnet?

You can configure a Lambda function to connect to private subnets in a virtual private cloud (VPC) in your AWS account. Use Amazon Virtual Private Cloud (Amazon VPC) to create a private network for resources such as databases, cache instances, or internal services.

Should Lambda be in public or private subnet?

Be sure that all the subnets you configure for your Lambda function are private subnets. It is a common mistake to configure, for example, 1 private subnet and 1 public subnet. This will result in your Lambda function working OK sometimes and failing at other times without any obvious cause.

Can Lambda function access with dedicated tenancy VPC?

Lambda doesn't support running functions in dedicated tenancy VPCs. To connect a Lambda function to a dedicated VPC, first peer the dedicated VPC to a default tenancy VPC that contains the function. The solution requires using an Amazon Elastic Compute Cloud (Amazon EC2) Dedicated Instance.

Can Lambda run outside VPC?

Lambda functions always run inside VPCs owned by the Lambda service. As with customer-owned VPCs, this allows the service to apply network access and security rules to everything within the VPC.


1 Answers

Thanks for everyone who post comments and gave suggestions.

To solve this problem, I have almost found every possible solutions online. I put everything at the right position. Lambda function, ELB and EC2 are in the same VPC private subnet. Route53, NAT and IGW are properly set up. I did try playing with the DHCP options set, didn't work. Maybe I don't fully understand this DHCP and I can't find an example.

It turns out the HTTPS protocol is not working. Before I move to private VPC, I have the same thing setup in a public VPC and resources are using HTTPS to communicate. For example, the lambda function will GET/POST to the EC2 instance or ELB. After I move stuffs into a private VPC, HTTPS commands can not use the internal DNS names.

However, if I use HTTP protocol, resources finally can find each other by internal DNS names.

I still dont know why HTTPS can't be used in the private VPC, but I can live with this solution.

like image 96
flyblade Avatar answered Oct 17 '22 12:10

flyblade