7

I have a simple lambda function as follows

var AWS = require("aws-sdk");

exports.handler = (event, context, callback) => {

var ec2 = new AWS.EC2({region:'us-east-1'});
return ec2.describeRegions({}).promise()
.then(function(regionResponse) {
    console.log(regionResponse.Regions)
    callback(null, regionResponse.Regions);
})
.catch(
    function (err) {
        console.log({"error" : err});
        callback(err, null);
    }
)

};

I can run this function outside of a VPC successfully.

I create a VPC using the VPC wizard and create a VPC with a single public subnet and an Internet Gateway. I place the function in the VPC and give it an execution role with Lambda VPC Execution rights. It now fails with a timeout, which I have set to 10 seconds (normal execution 1 sec)

What am I missing from my config that prevents the function from accessing the AWS SDK inside the VPC?

ajmcgarry
  • 379
  • 3
  • 8
  • This question gets asked on here at least once a week. Please view the answers to some of the other questions like these: http://stackoverflow.com/questions/38188532/why-aws-lambda-within-vpc-can-not-send-message-to-sns http://stackoverflow.com/questions/35423246/adding-aws-lambda-with-vpc-configuration-causes-timeout-when-accessing-s3 – Mark B Mar 09 '17 at 13:59
  • @MarkB the fact that this gets asked so often just goes to show that it needs a proper documented use case or examples provided by Amazon. I have been down these routes before with these other answers so I may have missed something or made a mess of something. I will start again and see if I can get some success – ajmcgarry Mar 09 '17 at 14:18
  • 1
    AWS has documented this in lots of places, like here: http://docs.aws.amazon.com/lambda/latest/dg/vpc.html and the official Lambda VPC announcement here: https://aws.amazon.com/blogs/aws/new-access-resources-in-a-vpc-from-your-lambda-functions/ What specifically do you want from them that they aren't providing you? Anyway, that's feedback you need to be providing Amazon instead of posting it here where they will never see it. – Mark B Mar 09 '17 at 14:29
  • Also, I'm not seeing anything in your posted code that needs to be running inside a VPC. If you just remove the Lambda function from the VPC it will be able to access the AWS API. – Mark B Mar 09 '17 at 14:31
  • @MarkB the code I posted is just an example I took from a larger application built using the Serverless framework with a NodeJS ExpressJS API fronted by API Gateway. – ajmcgarry Mar 09 '17 at 14:49

1 Answers1

-2

  1. You are putting callback after return statement. Of course it will never be executed because you returned from the function.

  2. If the subnet you are running the Lambda is not public or does not have NAT Gateway, it won't be able to connect to Internet, thus to AWS API's.

Cagatay Gurturk
  • 7,186
  • 3
  • 34
  • 44
  • Hi @Çağatay Gürtürk, yes a silly error, due to me taking the boilerplate code to demonstrate my problem and not properly calling the callback function. I have edited and fixed that. However this is not the issue and as I said it did work as coded outside of VPC and did not end prematurely in either case. I will take your advise and add a NAT to subnet – ajmcgarry Mar 09 '17 at 13:57
  • You can add Internet Gateway to your subnet and solve the problem, but then your subnet will be a public subnet. As long as the subnet has Internet access you should not have problem. – Cagatay Gurturk Mar 09 '17 at 14:05
  • As per the original question. I already have a single public subnet with an Internet Gateway. I tried to swap it for a NAT as I only have a single route table in the VPC and it made no difference. Could you try to execute my code as you say it can be done because I don't believe this is the answer – ajmcgarry Mar 09 '17 at 14:08
  • @ÇağatayGürtürk you are incorrect about the public subnet and internet gateway thing. You have to add a NAT gateway, because even in a public subnet a Lambda function is not assigned a public IP so it still can't access anything outside the VPC. – Mark B Mar 09 '17 at 14:30
  • does your public subnet has internet access? can you cross-check your route table for internet access? @ajmcgarry – Abhishek Kumar May 10 '20 at 15:00