my lambda function can send message to SNS with publish method with "no VPC", but it will timeout when I put it in a VPC which has access to public internet with route and internet gateway.
Edited
I have my lambda in a public subnet which has 0.0.0.0/0 already routed to the internet gateway, so can not route it again to NAT. Is that possible to assign a EIP to lambda function
You have to add a NAT Gateway to your VPC in order for Lambda functions (and other things in your VPC that don't have a public IP) to access anything outside the VPC. You should read the Things to Know section of this AWS announcement.
Outside Internet is not accessible when VPC is enabled. So, when you send a request to publish to a SNS topic using libraries such as boto3, your requests will timeout.
NAT is one of the option but a more cost effective way would be to setup an interface endpoint to SNS from your VPN. You can go to AWS VPN console and create an endpoint and select SNS as the service.
Here is more details on how to setup your interface endpoint: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint
Related
I have VPC with two private subnets in two different AZ and
I am trying to create a VPC Endpoint for connecting lambda to my database in private one of subnet
But I need SNS also for sending message to users based on my lambda function
Do I need to create another endpoint for SNS in that subnet or I can attach multiple services to the same endpoint
I know NAT gateway is an option but it is costly than endpoints
Please suggest best way to do this
Thanks,
Monika
No. A VPC Endpoint is always for a specific service.
By the way, you do not require a VPC Endpoint for Lambda in your situation. Simply configure the AWS Lambda function to connect to the private subnets in the VPC. This is an in-built capability of Lambda functions and the do not require a VPC Endpoint to access the subnets.
I have a lambda job that works fine until I put it in a VPC, it seems to stop reading the kinesis stream as soon as that is done and works again when I put it in no VPC. Anyone have any advice on how to solve this?
For lambda to work properly in VPC, you need to add AWSLambdaVPCAccessExecutionRole managed policy to your function's execution role.
Also it needs to be remembered that lambda in your vpc does not have access to Internet:
When you connect a function to a VPC in your account, it does not have access to the internet unless your VPC provides access.
To enable access to public kinesis endpoints:
To give your function access to the internet, route outbound traffic to a NAT gateway in a public subnet. The NAT gateway has a public IP address and can connect to the internet through the VPC's internet gateway.
Alternatively, can setup VPC interface endpoints to access kinesis without going to the internet.
Hope this will be helpful.
I'd like to have a lambda expression that every hour makes a query on RDS database, pull some ARN (device tokens) and then sends these devices a notification via SNS. My desire is to remain inside the VPC and I'd like to avoid using NAT due to its cost. Should i create a VPC endpoint (is this called AWS PrivateLink?) that can reach out SNS+RDS? Is NAT and Endpoint similar in billing? Globally is this the right way to achieve a "cron sending notifications" on AWS?
RDS is reachable inside the VPC without the endpoint isn't it?
This is totally possibly
Your lambda can run in a private subnet in the VPC that communicates with your RDS database over the network on port 3306. Make sure your security group and NACL rules allow this.
You then need to create a VPC endpoint to your SNS service. Be sure your route table includes this route.
The main difference between VPC endpoints and AWS Privatelink is the following:
A VPC endpoint enables you to privately connect your VPC to supported AWS services. SNS, Kinesis, SQS, S3,....
While AWS Privatelink is more about creating your own application in your VPC and configuring it as an AWS PrivateLink-powered service (referred to as an endpoint service). Other AWS principals can create a connection from their VPC to your endpoint service using an interface VPC endpoint.
VPC endpoints are free. Nat Gateways cost per hour per GB.
I have hosted a Lambda function using AWS Chalice inside a VPC since I want it to access a Serverless Aurora DB Instance. Now I also want this function to send_message() to an SQS.
I followed Tutorial: Sending a Message to an Amazon SQS Queue from Amazon Virtual Private Cloud and was able to call the SQS from inside my EC2. But even then I could not use my Lambda function to call the SQS.
It would be very helpful if someone could actually tell me how to do the whole thing manually rather than using the CloudFormation stack, or at least tell me how to get the SQS Endpoint working.
It appears that your situation is:
An Amazon VPC with an Amazon Aurora database
An AWS Lambda function that wants to communicate with the Aurora database AND an Amazon SQS queue
An AWS Lambda function can be configured as:
Connected to a subnet in a VPC, or
Not connected to a VPC, which means it is connected to the Internet
If you wish to have an AWS Lambda function communicate with resources inside a VPC AND the Internet, then you will need:
The Lambda function connected to a private subnet
A NAT Gateway in a public subnet
An Internet Gateway connected to the public subnet (it is most probably already in your VPC)
Alternatively, you can use a VPC Endpoint for SQS, which allows the Lambda function to access SQS without going to the Internet. If you are wanting to connect to multiple service (eg S3, SNS, SQS), it is probably easier just to use a NAT Gateway rather than creating VPC Endpoints for each service.
You either need to add a VPC Endpoint for SQS to your VPC, or place the Lambda function in subnets with a route to a NAT Gateway.
I have a lambda function that accesses my Postgres db in RDS via VPC. After it queries the db, I want to post a notification to SNS. Because my lambda function exists in my VPC, it cannot access SNS. I have an internet gateway on my VPC. I read through the VPC endpoint documentation and currently only s3 is supported.
Is there anyway to publish to SNS in a lambda function in a VPC?
UPDATE
As of April 2018, SNS supports VPC Endpoints via AWS PrivateLink. So, there will be no need to set up an Internet Gateway or a NAT instance in order for a Lambda function inside your VPC to publish SNS notifications.
See this blog post for more details.
You will need a NAT server running in your VPC to route traffic outside of the VPC. AWS now offers a managed NAT service that makes this easier.
I finally managed to get it working...
The trick is that you MUST have 2 subnets.
A public one, with a routing table that sends traffic to the Internet Gateway of your VPC. Put the NAT in there.
And a private one, with a routing table that sends traffic to the NAT. Put the Lambdas in there. (BTW Making a public subnet means setting the Auto-assign Public IP option to Yes.)
It is outlined in this overview diagram from the AWS docs:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html#Configuration-2
I know this is old, but here's another option that works, for those who don't want to configure a NAT. Instead of trying to have a lambda function inside the VPC that interacts with SNS, split into 2 lambda functions, as follows.
Function 1 sits inside the VPC and interacts with the database, returning the result of your database interaction (eg, a list of IDs matching some criteria).
Function 2 sits outside the VPC, invokes Function 1, then processes the array of values and publishes the appropriate SNS notifications (eg, sends a message based on each ID in the list).
Would be nice if there was a VPC endpoint for SNS, but still in late 2016 this does not seem to be the case.