0

I have a Lambda in my VPC that needs to access DynamoDB. I have a VPC Endpoint setup for this, finally got it to work, but am questioning the setup.

  • Lambda is running in my private subnet.
  • The subnet has a route table:
    1. Destination: 10.153.32.0/21
      Target: local
    2. Destination: pl-02cd2c6b (com.amazonaws.us-east-1.dynamodb, 52.94.0.0/22, 52.119.224.0/20)
      Target: (my VPC Endpoint)
    3. Destination: 0.0.0.0/0
      Target: (my NAT Gateway)
  • My VPC Endpoint is associated with the above route table (and a few others), hence the #2 route.
  • And I added the following Network ACL Inbound Rule
    • Port range 1024 - 65535
    • CIDR blocks 52.94.0.0/22 and 52.119.224.0/20
    • ALLOW

What concerns me is that Network ACL rule. I added it after reading this comment.

I'm wondering if I need that rule, or if maybe something else is wrong? I was surprised I had to add it because that SO comment was the only place that mentioned it.

It feels fairly safe to add since those CIDRs should be safe to allow since they are specifically for DynamoDB. But I'm assuming I'll have to keep an eye out for changes to those ranges.

EDIT: I also tried updating my lambda's security group outbound rules, to allow all ports with a destination of pl-02cd2c6b, but that didn't work.

Jason Capriotti
  • 1,836
  • 2
  • 17
  • 33
  • It depends entirely on if you already had NACL rules in your VPC. By default all traffic is allowed, NACL rules only add restrictions, so if you didn't have NACL rules already you didn't need to create one. The same goes for the outbound security group rules on your Lambda function, by default all outbound traffic is allowed, so you didn't need to add a rule if you didn't already have any. – Mark B Jan 20 '20 at 01:31

1 Answers1

1

You would only need that rule if you decided to use a customized Network ACL. By default, NACLs allow all, leaving network access control in the hands of security group settings... so you don't use the default rules, you have to manually allow everything in both directions since, unlike security groups, NACLs don't track IP flow states.

What you are doing looks correct (assuming you need a custom NACL).

The IP addresses from the prefix list are necessary for allowing reply traffic in the inbound direction, and the unusually-broad ephemeral port range comes from the VPC documentation:

AWS Lambda functions use ports 1024-65535.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports

There is a documented caveat about treating the prefix list as static:

The range of public IP addresses for a service may change from time to time. Consider the implications before you make routing or other decisions based on the current IP address range for a service.

https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-routing

Using the default "allow all" NACL is probably a better alrernative. If you really feel the need to lock down your Lambda function's access, you should be able to create an outbound security group rule referencing the pl-xxxx directly. This will work once your NACL is set back to allow all.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • Thanks for the great perspective. I was indeed completely ignoring how my NACLs were setup and how that compares to the default. Basically I assumed mine were the default, when they aren't. My VPC is loosely based on the HIPAA quickstart, so I'll have to take that into consideration. – Jason Capriotti Jan 20 '20 at 02:47