I am using Serverless framework for creating lambdas. I created a simple Lambda function, which queries from an Mongo instance and returns the response. Initially, I created the Mongo instance with publicIp and made the Lambda access that instance with publicIP. It worked well.
Now, in order to increase the security, I added the VPC configuration to the Lambda. Here is my serverless.yml:
functions:
graphql:
handler: handler.graphql
iamRoleStatements:
- Effect: Allow
Resource: "*"
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DetachNetworkInterface
- ec2:DeleteNetworkInterface
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
vpc:
securityGroupIds:
- sg-16f9e371
subnetIds:
- subnet-883a12fe
- subnet-3f7b1067
events:
- http:
path: graphql
method: post
integration: lambda
memorySize: 256
timeout: 10
cors: true
response:
headers:
Access-Control-Allow-Origin: "'*'"
Adding the above configuration, the serverless deployment
was successful. Now when I tried to access the function by invoking the APIGateway URL in postman, I get an timeout error. Here is the screenshot of Postman:
Does adding the VPC configuration to Lambda make it inaccessible by invoking it publicly?
To troubleshoot the retry and timeout issues, first review the logs of the API call to find the problem. Then, change the retry count and timeout settings of the AWS SDK as needed for each use case. To allow enough time for a response to the API call, add time to the Lambda function timeout setting.
So a public (non-VPC, has Internet access) Lambda function can call the Invoke API to trigger the private Lambda function, but the private VPC (no Internet access) Lambda function cannot access the Invoke API to trigger any Lambda function.
There are many reasons why a function might time out, but the most likely is that it was waiting on an IO operation to complete. Maybe it was waiting on another service (such as DynamoDB or Stripe) to respond. Within a Lambda invocation, the function might perform multiple IO operations.
When you create lambda functions inside a VPC, the elastic network interfaces of the lambda functions are assigned only a private IP address. But to connect to a resource in the internet you need a public IP address. If your mongo instance is accessed over the internet, your lambda function wouldn't be able connect to it.
You need to setup a NAT gateway to get internet access to the lambda function. Go to the below link and check under the topic "Internet Access for Lambda Functions" to see steps.
http://docs.aws.amazon.com/lambda/latest/dg/vpc.html
You do right by attaching the Lambda to the VPC for database traffic to be transmitted over a private network. It's an unnecessary security compromise otherwise, and slower over the Internet.
The previous answer is correct, you now have an ENI attached to your Lambda Function, which means it has a private IP connection on your VPC Subnet. I'm guessing that your MongoDB instance is in your VPC too, if it was elsewhere on the internet you should have kept it as publicly connected.
Some relevant info:
Design Consideration
A combination of patterns that I use for similar scenarios:
Hope this helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With