8

I have a Lambda function from which I need to make an external API call. I have added the Lambda function to a security group, a VPC, and 2 subnets, and it gives me this text:

When you enable VPC, your Lambda function will lose default internet access. If you require external internet access for your function, ensure that your security group allows outbound connections and that your VPC has a NAT gateway.

I go into VPC, create a NAT gateway (I let AWS create a EIP), attach it to one of the subnets on my lambda function.

For debugging purposes, my security group outbound functions are set to all traffic/all destinations (0.0.0.0/0). Also my Network ACL for this VPC is set to this (with 5 subnets, including the one with the NAT gateway):

100 | ALL Traffic | ALL | ALL | 0.0.0.0/0 | ALLOW

A route table with the same 2 subnets is on the VPC, with the 0.0.0.0/0 route set to target the NAT gateway.

A different route table with 3 other subnets is also on the VPC, with the 0.0.0.0/0 route set to target the internet gateway.

Both route tables have the same local destination IP (the IP for the VPC).

The error I get is:

{ Error: connect ETIMEDOUT x.x.x.x:443
at Object.exports._errnoException (util.js:1018:11)
at exports._exceptionWithHostPort (util.js:1041:20)
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1090:14)
code: 'ETIMEDOUT',
errno: 'ETIMEDOUT',
syscall: 'connect',
address: 'x.x.x.x',
port: 443 }

The node code I am running works on my desktop node environment, and the POST call works in postman, so I am fairly certain this is problem with my AWS config.

I have been using this scenario as a resource: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

Arafat Nalkhande
  • 11,078
  • 9
  • 39
  • 63
getglad
  • 2,514
  • 3
  • 24
  • 47
  • Could it be that security groups blocking something? and it seems NAT gateway should be attached to public subnet, is that how you configured it? http://stackoverflow.com/questions/37135725/aws-lambda-connecting-to-internet?rq=1 – kosa Apr 27 '17 at 14:54
  • I added a link to the resource I've been using. I created the VPC using the wizard with public/private just to make sure everything is setup correctly. Changed out to the new VPC in my lambda function, added the new private+public subnet + security group. Security group has all outbound connections set to 0.0.0.0/0. Still ETIMEDOUT. I must be missing something, but not sure how to debug... – getglad Apr 27 '17 at 16:32
  • One question, all resources are in same region or different region? – kosa Apr 27 '17 at 16:41
  • all are in N. VA. – getglad Apr 27 '17 at 16:46
  • Did you follow the security groups section in the link you have specified? ACL & AWS Security groups? – kosa Apr 27 '17 at 17:00

1 Answers1

13

I go into VPC, create a NAT gateway (I let AWS create a EIP), attach it to one of the subnets on my lambda function.

That is where gou went wrong.

The NAT Gateway must not be attached to any of the subnets it serves. The NAT Gateway must be on a public subnet with a default route to the Internet Gateway.

A NAT Gateway's default route follows the default route of the route table of the subnet to which it is attached, to reach the Internet. If it's associated with a subnet that needs a NAT Gatway, its default route loops back on itself.

Then, all subnets associated with Lambda need to use a route table whose default route points to the NAT Gateway.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427