0

I have a Lambda function which connects to an external database (running MySQL) and sends SNS emails after grabbing data from the database.

I have created a VPC with a NAT gateway, 2 subnets and a security group that allows all incoming and outgoing traffic. The reason for creating a VPC to attach to my Lambda function is that I needed an Elastic IP as MySQL needs to authorise all external IPs trying to connect.

Without the VPC, my code works fine, gets the data from the database and send the SNS emails with no problem. However, when adding the VPC to the Lambda function, neither the MySQL queries work nor does SNS send any emails.

I don't get any errors in CloudWatch Logs or any indication of what may be causing the issue. Anybody know what could be causing this?

Richard Phelps
  • 13
  • 5

1 Answers1

2

For an AWS Lambda function to have Internet access, one of these options is required:

  • Do not select a VPC. The function will be directly connected to the Internet but, contrary to your needs, you will not have an Elastic IP address associated with it.
  • Connect the Lambda function to a private subnet and use a NAT Gateway to connect to the Internet. The Lambda function will appear to come from the IP address of the NAT Gateway.
  • Connect the Lambda function to a public subnet and associate an Elastic IP address to the Elastic Network Interface (ENI) where the Lambda function connects to the subnet. Internet traffic will appear to come from the Elastic IP address.
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 1
    How do you manage the ENI Elastic IP trick when the Lambda service is automatically creating and deleting ENIs constantly? – Mark B Aug 23 '18 at 14:31
  • Mmm. I've done it on one ENI, but I didn't think of the situation where multiple Lambda functions & ENIs are created. If there are likely to be concurrent executions, I guess NAT Gateway is the way to go! – John Rotenstein Aug 23 '18 at 21:36
  • @MarkB is correct... [*"If your Lambda function accesses a VPC, you must make sure that your VPC has sufficient ENI capacity to support the scale requirements of your Lambda function."*](https://docs.aws.amazon.com/lambda/latest/dg/vpc.html) The *approximate* formula for number of ENIs Lambda will need to allocate to a function is ceil(actual peak execution concurrency × (container size in MiB ÷ 3072)). – Michael - sqlbot Aug 23 '18 at 22:26
  • @JohnRotenstein Thank you. I figured out what my issue was. I had created 2 public subnets and no private subnets and assigned the 2 public subnets to the Lambda function. I changed it and created 2 private and 2 public subnets and only attached the 2 private subnets to the Lambda function. – Richard Phelps Aug 24 '18 at 12:03