1

I have a problem with an AWS Lambda Function which depends upon DynamoDB and SQS to function properly. When I try to run the lambda stack, they time out when trying to connect to the SQS service. The AWS Lambda Function lies inside a VPC with the following setup:

  • A VPC with four subnets
  • Two subsets are public, routing their 0.0.0.0/16 traffic to an internet gateway
  • A MySQL server sits in a public subnet
  • The other two contain the lambdas and route their 0.0.0.0/16 traffic to a NAT which lives in one of the public subnets.
  • All route tables have a 10.0.0.0/16 to local rule (is this the problem because Lambdas use private Ip's inside a VPC?)
  • The main rout table is the one with the NAT, but I explicitly associated the public nets with the internet gateway routing table
  • The lambdas and the mysql server share a security group which allows for inbound internal access (10.x/16) as well as unrestricted outbound traffic (0.0.0.0/16).

Traffic between lambdas and the mysql instance is no problem (except if I put the lambdas outside the VPC, then they can't access the server even if I open up all ports). Assume the code for the lambdas is also correct, as it worked before I tried to mask it in a private net. Also the lambda execution roles have been set accordingly (or do they need adjustments after moving them to a private net?).

Adding a dynamodb endpoint solved the problems with the database, but there are no VPC endpoints available for some of the other services. Following some answers I found here, here, here and in the announcements / tutorials here and here, I am pretty sure I followed all the recommended steps.

I would be very thankful and glad for any hints where to check next, as I have currently no idea what could be the problem here.

EDIT: The function don't seem to have any internet access at all, since a toy example I checked also timed out:

import urllib.request

def lambda_handler(event, context):
    test = urllib.request.urlopen(url="http://www.google.de")
    return test.status
aL_eX
  • 1,453
  • 2
  • 15
  • 30
DatenBergwerker
  • 193
  • 11
  • This is just to point readers to [your answer](https://stackoverflow.com/a/48292260/992887) which highlights that changing the incorrect `0.0.0.0/16` in various places to `0.0.0.0/0` was the solution. – RichVel Feb 21 '18 at 06:25

2 Answers2

2

Of course the problem was sitting in front of the monitor again. Instead of routing 0.0.0.0/0 (any traffic) to the internet gateway, I had just specified 0.0.0.0/16 (traffic from machines with an 0.0.x.x ip) to the gate. Since no machines with such ip exists any traffic was blocked from entering leaving the VPC.

@John Rotenstein: Thx, though for the hint about lambdash. It seems like a very helpful tool.

DatenBergwerker
  • 193
  • 11
1

Your configuration sounds correct.

You should test the configuration to see whether you can access any public Internet sites, then test connecting to AWS.

You could either write a Lambda function that attempts such connections or you could use lambdash that effectively gives you a remote shell running on Lambda. This way, you can easily test connectivity from the command line, such as curl.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • It seems the functions really dont have any internet access. A quick toy function i wrote also times out (see edited OP, for the function) – DatenBergwerker Jan 17 '18 at 09:20