5

I've developed a simple lambda function that sends a get request to an API, this API is placed in a VPN. Obviously when I test my lambda locally, it works just fine because I have my VPN enabled on my laptop, but when I deploy the same lambda and test it remotely I get the java.net.UnknownHostException: xxxxx: Name or service not known.

Any ideas about how to extend my local vpn configuration to an aws vpc which contains the lambda ? and how about creating an ec2 as a proxy who contains the vpn configuration ? I'm stuck here and i am open for any reasonable solution.

Thank you!

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Oncobe
  • 53
  • 2
  • 3
  • If you're going to run an EC2 instance to connect to the VPN, it sort of defeats the benefits of running AWS Lambda. You could just run your code on the same instance. – John Rotenstein May 14 '21 at 21:55
  • Understood, are there other ways to solve make this connection happen ? – Oncobe May 15 '21 at 06:58
  • Is the target service running on AWS? If so, there might be an easier way to connect (eg VPC Peering) rather than using a VPN connection. Can you tell us more about the setup? – John Rotenstein May 15 '21 at 12:40

2 Answers2

3

I faced a similar issue where I wanted a Lambda function to get data from an API that is behind a VPN, but I did not have any control over the client VPN. If you are able to install the required client-side VPN configuration with OpenSwan, then AWS Site-to-Site VPN is the correct answer. It will ensure that Lambda and other AWS services can interact cleanly with the services protected by the VPN.

If you cannot set up a site-to-site VPN, then it's not possible for Lambda to call the API directly. Your goal, then, may be to find some way to connect to the VPN as a client, call the API to get the data, and then store the data in the VPC.

Please note that this solution may not be appropriate for your use case. It works for me only because I need to periodically call the API to update data for analysis and reporting, which is currently done on my computer. I have access to the data through the API, but not directly to the databases or systems protected by the VPN.

  1. Set up a VPC with an internet gateway that is connected to the public internet. This includes the VPC, subnets, route tables, and the internet gateway. There are many guides online, but I used this "OpenVPN+VPC+VPN Client Configuration" video for guidance. The narrator sets up the VPC with public internet access beginning at 6:00.
  2. Launch an EC2 instance with an Amazon Linux 2 AMI.
  3. SSH into the new EC2 instance, and install the OpenVPN package (this StackOverflow thread contains instructions)
  4. Copy all necessary VPN configuration files to the EC2 instance along with your get scripts. I used SCP to complete this task. Because I use OpenVPN, I copied my .conf file over.
  5. Connect to the VPN through this EC2 instance and run your API scripts.

This allows you to get the data from the API into the EC2 instance, and from there the data could be stored in an S3 bucket, in DynamoDB, or in whatever form on the VPC that suits your needs best.

Note that the scripts and configuration files will be deleted by default when the instance is stopped or terminated. If you plan to use this method regularly to pull data, then it may be best to keep your files in an S3 bucket and transfer them to the EC2 as needed so that you don't have to SCP the files from your computer every time.

The VPC, subnets, route tables, and internet gateway do not need to be set up anew every time. They can remain in place and will incur no charge. You will incur charges with the EC2 instances.

Ricardo Davila
  • 31
  • 3
1

If your Lambda needs to access an endpoint on a private network (outside AWS) you'll need to connect the VPC where your Lambda is running with your private network.

To do that you can check the AWS Site-to-Site VPN, this will allow you to connect the VPC with your remote network.

Julian Calle
  • 93
  • 5