I have a Lambda function from which I need to make an external API call. I have added the Lambda function to a security group, a VPC, and 2 subnets, and it gives me this text:
When you enable VPC, your Lambda function will lose default internet access. If you require external internet access for your function, ensure that your security group allows outbound connections and that your VPC has a NAT gateway.
I go into VPC, create a NAT gateway (I let AWS create a EIP), attach it to one of the subnets on my lambda function.
For debugging purposes, my security group outbound functions are set to all traffic/all destinations (0.0.0.0/0
). Also my Network ACL for this VPC is set to this (with 5 subnets, including the one with the NAT gateway):
100 | ALL Traffic | ALL | ALL | 0.0.0.0/0 | ALLOW
A route table with the same 2 subnets is on the VPC, with the 0.0.0.0/0
route set to target the NAT gateway.
A different route table with 3 other subnets is also on the VPC, with the 0.0.0.0/0
route set to target the internet gateway.
Both route tables have the same local
destination IP (the IP for the VPC).
The error I get is:
{ Error: connect ETIMEDOUT x.x.x.x:443
at Object.exports._errnoException (util.js:1018:11)
at exports._exceptionWithHostPort (util.js:1041:20)
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1090:14)
code: 'ETIMEDOUT',
errno: 'ETIMEDOUT',
syscall: 'connect',
address: 'x.x.x.x',
port: 443 }
The node code I am running works on my desktop node environment, and the POST call works in postman, so I am fairly certain this is problem with my AWS config.
I have been using this scenario as a resource: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
I go into VPC, create a NAT gateway (I let AWS create a EIP), attach it to one of the subnets on my lambda function.
That is where gou went wrong.
The NAT Gateway must not be attached to any of the subnets it serves. The NAT Gateway must be on a public subnet with a default route to the Internet Gateway.
A NAT Gateway's default route follows the default route of the route table of the subnet to which it is attached, to reach the Internet. If it's associated with a subnet that needs a NAT Gatway, its default route loops back on itself.
Then, all subnets associated with Lambda need to use a route table whose default route points to the NAT Gateway.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With