0

I have a AWS Lambda function that points to an application load balancer URL when triggered. This load balancer sits in a public subnet.

I was required to attach a VPC to the Lambda function to prevent it from going over the internet as the public subnet NACLs were too permissive.

After attaching my Lambda function to the VPC, I attached a Security Group to the VPC configuration. The Lambda function now sits within the private subnet.

# inbound
HTTPS    TCP   443    0.0.0.0/0
#outbound
ALL      ALL   443    0.0.0.0/0

The private subnets have a route in their Route Table that points to a NAT Gateway. In addition, the NACL attached to the private subnet looks like this:

100     All traffic  All    All  0.0.0.0/0   Allow
*       All traffic  All    All  0.0.0.0/0   Deny

Why is my Lambda function not able to hit the application load balancer?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
TheWalkingMalteser
  • 561
  • 1
  • 9
  • 25
  • 1
    Are you asking why the Lambda function can't reach the Internet (as mentioned in your Title), or are you asking why the Lambda function can't access the Load Balancer from _within_ the VPC (as mentioned in your Question)? Has the Load Balancer been configured as an "internal" load balancer, or a "public" load balancer? This will impact whether the DNS Name resolves to a public or private IP address. Also, what is the configuration of the Security Group associated with the Load Balancer? – John Rotenstein Apr 19 '23 at 23:52
  • 1
    FYI the Lambda function SG doesn't need inbound port 443. Requests to Lambda aren't HTTP(s) requests. Those are (typically, other than for function URLs) made to API Gateway which triggers the Lambda control plane to invoke the Lambda function. – jarmod Apr 20 '23 at 01:07
  • Make sure your NACLs match the [defaults](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl). You didn't indicate whether yours are inbound or outbound or both. – jarmod Apr 20 '23 at 01:12
  • Related: https://stackoverflow.com/questions/52992085/why-cant-an-aws-lambda-function-inside-a-public-subnet-in-a-vpc-connect-to-the – jarmod Jun 16 '23 at 19:19

0 Answers0