Menu
My Lambda accesses resources on my VPC so as instructed in the documentation I've given the Lambda a role to create network interfaces. I was under the assumption that the ENI is reused but looks like every invocation is creating a new ENI which caused to throw an error
Lambda was not able to create an ENI in the VPC of the Lambda function because the limit for Network Interfaces has been reached.
I searched google but couldn't find the best way to solve this issue. Apart from manually deleting these ENIs periodically is there a better way?
841
When you create a Lambda function (or update its VPC settings), Lambda allocates a Hyperplane ENI for each subnet in your function's VPC configuration. Multiple Lambda functions can share a network interface, if the functions share the same subnet and security group.
By setting the concurrency reservation and limit of a Lambda function to zero, you can do just that. With the reservation set to zero every invocation of a Lambda function results in being throttled.
If you're doing some sort of long running processing then your other option may be to run this task on an EC2 instance. If this long running process can be broken down in to multiple steps then you could look in to Lambda Step Functions. 15 Minutes is the max and this max can not be extended.
As Mark suggested, the issue was my AWS Lambda didn't have the DeleteNetworkInterface Action specified in the role(Policy) that the lambda was set to. By giving the appropriate policy the Lambda now detaches and deletes the ENI when done.
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute",
"autoscaling:CompleteLifecycleAction"
]
}
The official line from AWS (via their docs and a support ticket) is to use the AWS-managed policy AWSLambdaVPCAccessExecutionRole.
Excerpt from a private support ticket:
The role you are using in your Lambda function has an attached policy "AWSLambdaVPCAccessExecutionRole", which is an AWS managed policy for VPC-enabled Lambda functions. This policy contains all needed permissions and may be updated in future if new permissions are needed due to updates to the service.
It is also worth noting that it can sometimes take several hours for detached ENIs to be reaped.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
