I recently turned my two AWS public subnets into private subnets and added a public subnet that's got a NAT gateway. The private subnet routing table routs traffic to the NAT gateway and the public one routs it to the Internet Gateway. However, it isn't working and I don't get response to my API calls.
I think this is due to the fact that my VPC endpoint has the two private subnets associated with it instead of the public subnet. I tried to change the associated private subnets to the public one but got the AWS error:
Error modifying subnets
Can't change subnets of a requester-managed endpoint for the service ...
What would be the way to get around this error and add my public subnet to the VPC endpoint?
Additional info: Each private subnet has an EC2 auto-scaling group instance and a serverless aurora DB instance in it.
Cheers, Kris
I also had this annoying problem. The error messages are not really helpful here. They do not reveal which service exactly created those interfaces. So I went to Cloudtrail, listed all events, and searched for the VPC Endpoint name (vpce-1234567890xxx) that refused to be deleted to find out who created it. In my case, it turned out to be the RDS proxy service. So I went to RDS and deleted the proxy.
Since it is requester-managed VPC endpoint:
You cannot modify or detach a requester-managed network interface.
This means that you have to delete the resource that created the endpoint in the first place:
If you delete the resource that the network interface represents, the AWS service detaches and deletes the network interface for you.
Related
I've followed the tutorial here to create a VPC with public and private subnets.
Then I set up an AWS lambda function inside the public subnet to test if it could connect to the outside internet.
Here's my lambda function written in python3
import requests
def lambda_handler(event, context):
r = requests.get('http://www.google.com')
print(r)
The function above failed to fetch the content of http://www.google.com when I set it inside the public subnet in a VPC.
Here's the error message:
"errorMessage": "HTTPConnectionPool(host='www.google.com', port=80):
Max retries exceeded with url: / (Caused by
NewConnectionError(': Failed to establish a new connection: [Errno 110]
Connection timed out',))", "errorType": "ConnectionError",
I don't understand why.
The route table of the public subnet looks like this:
The GET request to http://www.google.com should match igw-XXXXXXXXX target. Why can't the internet-gateway(igw) deliver the request to http://www.google.com and get back the website content?
This article says that I must set the lambda function inside the private subnet in order to have internet access.
If your Lambda function needs to access private VPC resources (for
example, an Amazon RDS DB instance or Amazon EC2 instance), you must
associate the function with a VPC. If your function also requires
internet access (for example, to reach a public AWS service endpoint),
your function must use a NAT gateway or instance.
But it doesn't explain why I can't set the lambda function inside the public subnet.
Lambda functions connected to a VPC public subnet cannot typically access the internet.
To access the internet from a public subnet you need a public IP or you need to route via a NAT that itself has a public IP. You also need an Internet Gateway (IGW). However:
Lambda functions do not, and cannot, have public IP addresses, and
the default route target in a VPC public subnet is the IGW, not a NAT
So, because the Lambda function only has a private IP and its traffic is routed to the IGW rather than to a NAT, all packets to the internet from the Lambda function will be dropped at the IGW.
Should I Configure my Lambda Function for VPC Access?
If your Lambda function does not need to reach private resources inside your VPC (e.g. an RDS database or Elasticsearch cluster) then do not configure the Lambda function to connect to the VPC.
If your Lambda function does need to reach private resources inside your VPC, then configure the Lambda function to connect to private subnets (and only private subnets).
NAT or Not?
If the Lambda function only needs access to resources in the VPC (e.g. an RDS database in a private subnet) then you don't need to route through NAT.
If the Lambda function only needs access to resources in the VPC and access to AWS services that are all available via private VPC Endpoint then you don't need to route through NAT. Use VPC Endpoints.
If your Lambda function needs to reach endpoints on the internet then ensure a default route from the Lambda function's private subnets to a NAT instance or NAT Gateway in a public subnet. And configure an IGW, if needed, without which internet access is not possible.
Be aware that NAT gateway charges per hour and per GB processed so it's worth understanding how to reduce data transfer costs for NAT gateway.
Best Practices
When configuring Lambda functions for VPC access, it is an HA best practice to configure multiple (private) subnets across different Availability Zones (AZs).
Intermittent Connectivity
Be sure that all the subnets you configure for your Lambda function are private subnets. It is a common mistake to configure, for example, 1 private subnet and 1 public subnet. This will result in your Lambda function working OK sometimes and failing at other times without any obvious cause.
For example, the Lambda function may succeed 5 times in a row, and then fail with a timeout (being unable to access some internet resource or AWS service). This happens because the first launch was in a private subnet, launches 2-5 reused the same Lambda function execution environment in the same private subnet (the so-called "warm start"), and then launch 6 was a "cold start" where the AWS Lambda service deployed the Lambda function in a public subnet where the Lambda function has no route to the internet.
You can make a lambda function access the public internet from within your VPC, you just need to make sure you really need it.
For accessing resources external to AWS such as Google API (like OP's example) you do need a Public IP. For other cases like RDS or S3 you don't need Public IP, you can use a VPC Endpoint, so communication between your Lambda and the desired AWS Service doesn't leave AWS network.
By default some AWS Services are indeed reached via public internet, but it doesn't have to be.
[EDIT]
Someone was concerned about scalability in the comments, but they missed this from AWS Docs:
"Multiple Lambda functions can share a network interface, if the functions share the same subnet and security group"
Also, you must have a Public IP for reaching Public Internet, whether you're using Lambda, EC2, ECS, even if you use a NAT Gateway it needs an Elastic Public IP if you want to reach the public internet through it.
Solution
To do that, you need to assign Elastic Public IPs to the Network Interfaces for each subnet linked to your lambda. First let's figure which subnets and security groups are linked to your lambda:
Next, go to EC2 Service, find the Public IPs menu under Network & Security. Allocate one IP for each subnet (in the example above there are two subnets).
Go to Network Interfaces menu, find the network interfaces attached to your lambda (same subnet and security group).
Associate the Public IPs in the actions menu for each one:
That's it, now your Lambda can reach out to public internet.
I have an issue regarding to AWS VPC networking, I want to access external API from my ECS task, I've configured ECS in a Private subnet and the only way to access this ECS is trough an load balancer, in some services like Lambda is working (I can access external resources) but in ECS I can't access to them, I tried modifying the security group rules + modify ACL rules but isn't working, If anyone know how I can do, I be very grateful, thanks.
ps: I created the VPC on the UI that AWS has.
For resources in a private subnet to access the Internet, the only option is to send that traffic through a NAT Gateway.
You will have to create an AWS NAT Gateway in at least one of the public subnets of your VPC, and then add a route in each of the private subnets to that NAT Gateway.
I have a AWS Lambda function which:
checks a Redis Elasticache instance,
if the item is not found in the cache, goes to Google Places API service.
The Redis instance is in a private subnet; so, to fetch it, I added the VPC and the subnet in which the instance resides. I also specified the security group which allows all the outbound traffic. The Network ACL is the default one which is supposed to all the inbound and the outbound traffic.
When adding VPC to Lambda function like that via the console, it prompts:
When you enable VPC, your Lambda function will lose default internet access. If you require external internet access for your function, ensure that your security group allows outbound connections and that your VPC has a NAT gateway.
So, in the Route Table of the private subnet, I added a NAT gateway too. However, at the point where the Google Places API service call is made from the Lambda function it is always doomed to result in timeout.
In short, I doubt that the NAT gateway properly allows internet access of the Lambda function. How can I check what goes wrong with it?
Do NAT Gateways log the calls or the call attempts being tried through it somehow in CloudWatch etc.?
I want to elaborate on the answer from #vahdet. I was losing my mind trying to reconcile how the NAT Gateway was supposed to be in the public and private subnets simultaneously. It seemed like the official AWS documentation here was wrong, but of course it's not. There is a very subtle detail that myself and others have missed.
The NAT Gateway has to be "hot-wired" across two different subnets simultaneously in order to bridge private addresses to a public one that is internet facing.
First, I tried to put the NAT Gateway in the same route table as the IGW, but of course that doesn't work because you can't have two identical routes (0.0.0.0/0) with different targets.
The guide was saying to put the NAT Gateway in the route table for the Private Network, which I did, but that didn't seem to work.
The critical detail I was missing was that the NAT Gateway has to be created in a public subnet. The documentation actually says this, but it seems confusing because we are later told to put the route for NAT Gateway in the private table.
Both things are true. Create the NAT Gateway in the public subnet and then only add a route table entry in the private route table.
The documentation tells you to create the following network resources in the VPC:
two new subnets
two new route tables
one new NAT Gateway
I already had a route table and some subnets, so I tried to only add one new subnet and one new route table and this is where I got into trouble. It really was better to create two of each as documented.
Here's what it the subnets look like for me:
subnet-public 10.8.9.0/24 us-east-1a
subnet-private 10.8.8.0/24 us-east-1a
Then create the NAT Gateway in subnet-public.
It will be pending for a couple of minutes, which is important, because it must go to available status before it can be referenced in a route table entry.
Here are the route tables:
route-table-public
10.8.0.0/16 local
0.0.0.0/0 igw-xyz
subnet-association: subnet-public
route-table-private
10.8.0.0/16 local
0.0.0.0/0 nat-abc
subnet-association: subnet-private
Do you see what happened there? It's really subtle. The NAT Gateway is cross-wired. It "lives" in the public subnet it was created in, but all traffic in the private subnet gets routed to it.
If you create the NAT Gateway in the private subnet like I did at first, then the NAT Gateway is just as isolated as everything else in the private subnet, and has no way to route traffic out to the internet. It must be created in the public subnet to have internet access, because it must have an IP address inside the public subnet. My NAT Gateway got an internal IP of 10.8.9.127 and an external IP in the 54.X.X.X range.
By making the NAT Gateway the 0.0.0.0/0 route in the private routing table, we are telling all non-10.8.0.0/16 traffic to go straight to the NAT Gateway, even though it isn't actually inside the private subnet.
The VPC itself knows how to bridge traffic across its own subnets, and is able to send the 10.8.8.X traffic to the NAT Gateway's 10.8.9.X IP. It then acts as a bridge, and translates all of that traffic across it's internal IP to its external IP. Because it is in a public subnet that is in a route table with an internet gateway, the external IP has a clear path to the internet.
Now my private VPC lambda in subnet-private has verified internet access through the NAT Gateway.
The following steps are required
An IAM role with full VPC permission assigned to your lambda function.
VPC with public and private subnet
while creating a NAT Gateway
a)the subnet has to be public subnet
b)Elastic IP creat a new one or allocate one
Create the route table and add another route with target as our NAT gateway we created above.
And your lambda should be happy now
The problem for my case turned out to the fact that, I had created the NAT Gateway in the private subnet.
Make sure you place the NAT Gateways in the public subnet.
By the way, there are metrics but no direct logging records available in CloudWatch for NAT Gateway.
I have an AWS lambda function that makes a request to the internet. When it makes the request with NO VPC, it's ok, but when I add it to the VPC, it stops working. I've attached an Internet Gateway to the VPC and created a NAT Gateway with RT to use outbound 0.0.0.0/0, but it stills not working.
With the 15seconds timeout, it's always throwing TO.
Could you please help me?
I've already followed these sites:
https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7
http://derpturkey.com/lambda-vpc-and-internet-access-configuration/
Everything seems to be well configured.
Lambda configuration
Route Table configuration
IGW attached to VPC
There are three ways to grant Internet access to an AWS Lambda function:
Do not assign it a VPC, or
Assign it to a VPC and attach an Elastic IP Address to the ENI (Elastic Network Interface) that is created in the VPC, or
Assign it to a private subnet in a VPC and use a NAT Gateway to grant the private subnet access to the Internet
If you have already verified the network configurtions like VPC setup, Subnets, Route Table, IG/NAG gate way. And associated the Lambda with current subnet and security groups.
Then the last thing to verify would be:
For Lambda functions to work into custom or User Defined VPC, Adding Lambda to the VPC would require AWSLambdaVPCAccessExecutionRole in addition to AWSLambdaBasicExecutionRole.
Ensure that the associated role has the above permissions.
Source:
https://docs.aws.amazon.com/lambda/latest/dg/vpc-rds-create-iam-role.html
How to create Private and Public subnets in GCP? It is not same as AWS.
In GCP tags decides whether a subnet is private or public.
For public network create routes in VPC section and select the next-hop to Default Internet gateway
For private network create routes in VPC section and select the next-hop to specify and instance and select the nat instance
When create VM , you can change external IP to none.
This will requir NAT / LB to expose services and something like bastion server to login.
Though it's been a while since this was posted but thought to post this anyway as I ran into the same issue. I was doing a GCP-based lab challenge with an instruction to make a VPC private but I couldn't figure it out until I found this statement from an AWS doc located here.
If your subnet is associated with a route table that has a route to an >internet gateway, it's known as a public subnet.
In GCP you will need to remove the default route for internet access to make the VPC private. To make machines in the VPC gain internet access to download updates for example, you will need to create a cloud NAT gateway with cloud router