0

my lambda function can send message to SNS with publish method with "no VPC", but it will timeout when I put it in a VPC which has access to public internet with route and internet gateway.

Edited

I have my lambda in a public subnet which has 0.0.0.0/0 already routed to the internet gateway, so can not route it again to NAT. Is that possible to assign a EIP to lambda function

Hello lad
  • 17,344
  • 46
  • 127
  • 200

2 Answers2

12

You have to add a NAT Gateway to your VPC in order for Lambda functions (and other things in your VPC that don't have a public IP) to access anything outside the VPC. You should read the Things to Know section of this AWS announcement.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Hi Mark,thanks for the response. That explains everything. But I have my lambda in a public subnet which has 0.0.0.0/0 already routed to the internet gateway, so can not route it again to NAT. Is that possible to assign a EIP to lambda function in order to get this problem solved ? – Hello lad Jul 04 '16 at 16:20
  • No, you have to use a NAT, you can't assign an Elastic IP to a Lambda function. How would that even work when there can be many instances of the Lambda function running concurrently? You can however add a NAT to your public subnet. Or you can add another subnet with a NAT gateway to your VPC and move the Lambda function to that subnet. – Mark B Jul 04 '16 at 16:25
  • 2
    You can't add NAT functionality to a public subnet. By definition a public subnet uses the Internet Gateway as its default route. Interfaces using the NAT device need to be on private subnets. The NAT gateway or instance itself goes on the public subnet, with the private subnet's default route pointing to the NAT device. – Michael - sqlbot Jul 05 '16 at 02:23
  • Isn't SNS in the VPC? Is it not? If it's in the VPC, why would a NAT gateway be needed? – Jwan622 Oct 02 '19 at 00:49
  • @Jwan622 SNS does not run inside your VPC. – Mark B Oct 02 '19 at 11:35
1

Outside Internet is not accessible when VPC is enabled. So, when you send a request to publish to a SNS topic using libraries such as boto3, your requests will timeout.

NAT is one of the option but a more cost effective way would be to setup an interface endpoint to SNS from your VPN. You can go to AWS VPN console and create an endpoint and select SNS as the service.

Here is more details on how to setup your interface endpoint: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint

Deep Patel
  • 619
  • 7
  • 8