Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access

Tags:

amazon-web-services

aws-lambda

As per this document, if I need to access internet resources from my Lambda function with VPC access, I need to set up a NAT gateway.

So I followed this guide to set up a NAT gateway. However, at the stage when I need to edit the route tables of my subnet to add an entry with destination: 0.0.0.0/0 and target as my NAT gateway's id, I got an error that 

An entry with this destination already exists

I checked and noticed that for that existing entry, the target was an internet gateway for my VPC. If I replace that entry with the NAT gateway id, I cannot access any of the EC2 instances in that VPC through SSH from the outside world. How can I achieve a solution where all the EC2 instances in this VPC:

  • Are accessible only via SSH and the rest of the traffic is blocked
  • Are able to completely access other EC2 instances in the same VPC
  • Lambda function having access to this VPC can access outside resources like SQS and Kinesis.
like image 901
Mandeep Singh Avatar asked Feb 17 '16 11:02

Mandeep Singh

People also ask

How do I connect my NAT gateway to VPC?

Create a public NAT gateway then create and associate your new or existing Elastic IP address. Update the route table of your private VPC subnet to point internet traffic to your NAT gateway. Test your NAT gateway by pinging the internet from an instance in your private VPC subnet.

Can API gateway connect to Lambda in VPC?

You can use Lambda functions to proxy HTTP requests from API Gateway to an HTTP endpoint within a VPC without Internet access. This allows you to keep your EC2 instances and applications completely isolated from the internet while still exposing them via API Gateway.

Do I need a NAT gateway for Lambda?

Short description. Internet access from a private subnet requires network address translation (NAT). To give internet access to an Amazon VPC-connected Lambda function, route its outbound traffic to a NAT gateway or NAT instance in a public subnet.

Can Lambda access resources in VPC?

You can now enable AWS Lambda to access resources in a Virtual Private Cloud (VPC). Your Lambda functions can now access Amazon RDS databases, Amazon Redshift data warehouses, Amazon ElasticCache nodes, and other endpoints that are accessible only from within a particular VPC (e.g., web service running on EC2).

Video Answer

2 Answers

I found a good detailed tutorial on how to allow your lambda to connect to both VPC ressources and the internet here: https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7

A quick walk-through:

  • setup new subnets for your lambda (with CIDRs not overlapping your existing subnets). You need:
    • one subnet which will be pointing to an Internet Gateway (IGW) to be used by the NAT (let's call it A)
    • several pointing to the NAT to be used by your lambda (B, C and D)
  • add a NAT gateway: set the subnet to A
  • set your lambda VPC subnets to B, C and D
  • create 2 routes table:
    • one that points to your NAT with destination 0.0.0.0/0
    • one that points to your IGW (should already exists) with destination 0.0.0.0/0
  • update the subnet A to use the route table pointing to the IGW
  • update the subnets B, C and D to use the route table pointing to the NAT

Hope this helps.

like image 77
Vincent de Lagabbe Avatar answered Sep 28 '22 04:09

Vincent de Lagabbe

You need both the IGW and the NAT gateway for this to work.

In the public subnets (ones you want to reach from outside) point the 0.0.0.0/0 traffic to the IGW gateway. The NAT gateway itself needs to sit in one of these public subnets.

In the private subnets that you want to NAT point 0.0.0.0/0 traffic to the NAT gateway elastic network interface.

If 0.0.0.0/0 is aleady bound to the gateway you need to remove that and add it pointing the NAT gateway.

See: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html

like image 31
Mircea Avatar answered Sep 28 '22 03:09

Mircea
Sign in to Comment

Related questions

Docker Error - "jq: error: Cannot iterate over null"
Retrieve S3 file as Object instead of downloading to absolute system path
Reading a file from a private S3 bucket to a pandas dataframe
AWS Elastic Beanstalk change RDS Endpoint
Possible to get multiple object from Amazon S3 in single request?
Avoiding INSUFFICIENT DATA in Cloudwatch?
AWS ECS error: Task failed ELB health checks in Target group
Is it possible to upload to S3 directly from URL using POST?
AWS CloudFormation create-stack vs deploy
How to add more devices to AWS root account MFA
Referencing env variables from Elastic Beanstalk .ebextensions config files
How to get additional lines of context in a CloudWatch Insights query?
What client tools are available to manage Amazon S3 and CloudFront? [closed]
AWS BOTO3 S3 python - An error occurred (404) when calling the HeadObject operation: Not Found
The target group does not have an associated load balancer
How to forward http request to https in Amazon Route53?
Local development and staging with Amazon Redshift
How can I access Amazon DynamoDB via Python?
Launching with snapshot based volume fails
Boto3: get credentials dynamically?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!