I have two VPCs in AWS. elasticache is in one of the VPC.
I also have a lambda that needs to access the elasticache. I have attached the following policies to the lambda to access the elasticache.
AWSLambdaVPCAccessExecutionRole (as per mentioned here: https://docs.aws.amazon.com/lambda/latest/dg/vpc-ec-create-iam-role.html)
AmazonElastiCacheFullAccess
But I still cannot connect to the Elasticache endpoint from the lambda. It is throwing the following error:
Task timed out after 63.06 seconds
Essentially indicating it failed to connect. But any ec2 instance within the VPC can connect to the elasticache.
AWS Lambda uses elastic network interfaces (ENIs) that enable your function to connect securely to other resources. As you mentioned, lambda function is running in your VPC, not in AWS managed VPC, I recommend couple of below checks to perform which could cause connectivity issue between Lambda and ElastiCache (EC).
IAM Role: Make sure IAM role has required permission to access other VPCs resources.
Network: Verify that both VPC subnet network access control lists (ACLs) allow traffic on the port that you are connecting, and also for the Lambda security group.
Your Lambda function has no route to access the Elasticache VPC. Assuming the VPC CIDRs do not overlap:
If the VPCs are in the same region, you can create a VPC peering between the VPCs. The routing table entry to create a route between the VPCs will be automatically added when you create a peering connection. See: VPC Peering
If the VPCs are in different regions, check Does AWS offer inter-region / cross region VPC Peering? and if peering is available, you can create a peering connection just like #1
If the VPCs are in different regions, and peering connections is not supported, then you have to have a VPN in each VPC and route the traffic through the VPN.
Let's say lambda-A needs access to the ElastiCache in a different VPC(VPC-B).
Options:
You can create another lambda-B in your VPC-B, and let your lambda-A call lambda-B which then call ElastiCache.
Create a NAT instance in the same VPC as your cache cluster but in a public subnet.
Use VPC peering.
Ref: https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/accessing-elasticache.html
Related
I understand VPC Peering is used to establish connection between 2 VPCs. And to connect to another Application/Service in another VPC, VPC Endpoint Service is used. But can't a VPC Endpoint Service be connected via VPC peering?
A use-case/scenario will help
You can find a lot of info on VPC peering here:
https://docs.aws.amazon.com/de_de/vpc/latest/peering/what-is-vpc-peering.html
It is, like you already said - a (network) connection of two VPCs.
A VPC Endpoint gives you some more options - you could say it is build on top of the VPC peering idea.
Here is a short articel about it:
https://catalog.workshops.aws/networking/en-US/intermediate/5-vpc-endpoint-services/10-vpc-endpoint-services-overview
It also menntions some use cases, like
Application in a VPC that has no VPN or TGW access to other VPCS.
Application in a VPC which has overlapping IP addresses with the VPC you want to share it with
Sharing an application with external consumers in other AWS accounts (even via MarketPlace)
Limit the firewall rules for access to an on premise application by using Privatelink as a single point of access for all VPCs in a region
I have an RDS in one AWS Account - say Acct-1.
The RDS is public (i know it's not a good idea and there are other solutions for that)
I have a lambda in another AWS Account - say Acct-2 which runs in a VPC.
I have setup VPC peering between the 2 accounts, the route table entries are in place as well as the security groups IN/OUT bound policies in place.
In Acct-2 I can verify that I can connect to the RDS instance in Acct-1 using a mysql cient from an EC2 instance. The EC2 instance is in the same subnet as the Lambda and they both have the same security group.
But the Lambda gets a timeout connection. The Lambda has the typical Lambda execution role that Allows logs, and network interfaces.
Thoughts on what could be missing ? Does the RDS need to grant specific access to the Lambda service even if it's running in a VPC ?
Clarification: There is no route to the RDS instance from the internet. Clearly, the ec2 host is able to resolve the Private IP for the RDS instance from the DNS name and connect.
Lambda is unable to resolve the private IP for the RDS instance.
I'm trying to keep the traffic within AWS so as to not pay egress costs.
I have an AWS lambda function that makes a request to the internet. When it makes the request with NO VPC, it's ok, but when I add it to the VPC, it stops working. I've attached an Internet Gateway to the VPC and created a NAT Gateway with RT to use outbound 0.0.0.0/0, but it stills not working.
With the 15seconds timeout, it's always throwing TO.
Could you please help me?
I've already followed these sites:
https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7
http://derpturkey.com/lambda-vpc-and-internet-access-configuration/
Everything seems to be well configured.
Lambda configuration
Route Table configuration
IGW attached to VPC
There are three ways to grant Internet access to an AWS Lambda function:
Do not assign it a VPC, or
Assign it to a VPC and attach an Elastic IP Address to the ENI (Elastic Network Interface) that is created in the VPC, or
Assign it to a private subnet in a VPC and use a NAT Gateway to grant the private subnet access to the Internet
If you have already verified the network configurtions like VPC setup, Subnets, Route Table, IG/NAG gate way. And associated the Lambda with current subnet and security groups.
Then the last thing to verify would be:
For Lambda functions to work into custom or User Defined VPC, Adding Lambda to the VPC would require AWSLambdaVPCAccessExecutionRole in addition to AWSLambdaBasicExecutionRole.
Ensure that the associated role has the above permissions.
Source:
https://docs.aws.amazon.com/lambda/latest/dg/vpc-rds-create-iam-role.html
I want to have different VPC for dev/test/prod and one separate VPC for share services like jenkins. I'll use VPC peering between the Shared Services VPC and each of the environments VPCs
Each environment will have its own RDS instance.
RDS setup has this option about instance public accesibily, and I'm confused about the "No EC2 instance or devices outside of the VPC will be able to connect" statement.
If I choose "no" will I still be able to connect to the dev RDS instance from the shared services VPC by using VPC peering?
Yes you will be able to access from your 'shared services' VPC if you've peered the two VPCs.
Be sure to follow the VPC peering guide. The biggest thing is to make sure the CIDR block ranges do not overlap and you'll have to set the security groups on each RDS instance to allow traffic from the Jenkins instance in the 'shared services' VPC
Recently some service in us-west-1 seems not working, so I'm trying to create a lambda that can access cross-region RDS (from us-east-1 to us-west-1), but I cannot find any solution or sample with these keywords. Does that means cross-region database is unavailable?
As I know, use lambda reach to database in VPC may cause out of IP issues, so is there any best practice for this?
Thanks
Lambda functions run outside the VPC by default. In the setup of the Lambda you can opt to give them access to a VPC which creates a network endpoint inside your VPC. Lambda uses that network endpoint to access the VPC.
The challenge you face is that your us-west-1 VPC is not visible in us-east-1.
Suggestion: Setup VPC peering between the two VPCs and run the lambda in the us-east-1 VPC.