0

My lambdas need access to a DB and SQS. The DB is connected to my default VPC through peering. So I placed my lambdas in the VPC as well. They can access the DB, but timeout when accessing SQS. The security group allows all traffic in and out.

I'm using .NET Core 6 and the AWSSDK.SQS package.

I tried adding a VPC Endpoint to SQS, but when I do that, EC2 instances can no longer communicate with SQS and this causes Elastic Beanstalk deployments to not update deployed EC2 instances. What can I do to give my lambdas access and not break other things?

Ben Zuill-Smith
  • 3,504
  • 3
  • 25
  • 44
  • 2
    Assuming you intend to reach SQS via its public service endpoint, move the Lambda function to a private subnet and ensure your VPC has IGW and NAT. See related [question](https://stackoverflow.com/questions/52992085/why-cant-an-aws-lambda-function-inside-a-public-subnet-in-a-vpc-connect-to-the). – jarmod Mar 07 '23 at 20:00
  • 1
    "I tried adding a VPC Endpoint to SQS, but when I do that, EC2 instances can no longer communicate with SQS" That's really strange. That shouldn't be happening. It sounds like you aren't setting up the VPC endpoint correctly. You need to configure the security group of the VPC endpoint to allow all the traffic that needs to go through it. – Mark B Mar 07 '23 at 20:12
  • @MarkB Here is how I set it up -- Endpoint Settings: `AWS Services`. Services: `com.amazonaws.us-east-1.sqs`. VPC: ``. Subnets: ``. Security groups: `default (all traffic enabled)`. Policy: `Full Access`. -- Just tried it again. Lambda can now reach SQS, but EB cannot deploy to instances. Under the hood, the instances (via cdn-hup) poll an SQS queue to know when to deploy an update. The service timeouts trying to access whatever it is accessing. – Ben Zuill-Smith Mar 07 '23 at 22:07
  • 1
    That's really strange, but I haven't used Elastic Beanstalk in so long I don't know how to resolve that. I would suggest simply running the Lambda function in different subnets from the Elastic Beanstalk application, and only configure the SQS endpoint in the Lambda subnets. – Mark B Mar 08 '23 at 01:21

0 Answers0