AWS Lambda can't access VPC resources
up vote
0
down vote
favorite
I have a lambda function that sends the following request to get the IDs of all instances inside the region:
ec2_client = boto3.client('ec2', os.environ['region'])
response = ec2_client.describe_instances(Filters=[{'Name':'instance-state-name', 'Values': ['pending', 'running','shutting-down','stopping','stopped'],}])
The lambda sends also a get request to an API REST installed inside a VPC and this API is not open to the internet:
resp = requests.get(os.environ['apidsi']+'/persons/emails')
I put my Lambda function inside a VPC so that I can query the API, but when I do that, the lambda times out and it does not access the EC2 instances inside other VPCs. The IAM role has all the necessary permissions :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:*",
"s3:*",
"autoscaling:*",
"cloudwatch:*",
"dynamodb:*"
],
"Resource": "*"
}
]
}
Security group is ok also I guess. So to sum up:
- When I put the lambda function inside a VPC: I can access the
API RESTbut not the VPC resources, the lambda times out - When I don't put the lambda function inside a VPC, the function gets all information about the VPC resources but can't access the API REST: also times out.
How to solve this problem ??
For information: I assigned a public subnet to my Lambda function. This public subnet has an Internet Gateway attached, and it is in the same VPC as the instance hosting the API REST.
python-3.x amazon-web-services aws-lambda vpc
asked Nov 12 at 9:38
Souad
1,81553469
|
show 4 more comments
up vote
0
down vote
favorite
I have a lambda function that sends the following request to get the IDs of all instances inside the region:
ec2_client = boto3.client('ec2', os.environ['region'])
response = ec2_client.describe_instances(Filters=[{'Name':'instance-state-name', 'Values': ['pending', 'running','shutting-down','stopping','stopped'],}])
The lambda sends also a get request to an API REST installed inside a VPC and this API is not open to the internet:
resp = requests.get(os.environ['apidsi']+'/persons/emails')
I put my Lambda function inside a VPC so that I can query the API, but when I do that, the lambda times out and it does not access the EC2 instances inside other VPCs. The IAM role has all the necessary permissions :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:*",
"s3:*",
"autoscaling:*",
"cloudwatch:*",
"dynamodb:*"
],
"Resource": "*"
}
]
}
Security group is ok also I guess. So to sum up:
- When I put the lambda function inside a VPC: I can access the
API RESTbut not the VPC resources, the lambda times out - When I don't put the lambda function inside a VPC, the function gets all information about the VPC resources but can't access the API REST: also times out.
How to solve this problem ??
For information: I assigned a public subnet to my Lambda function. This public subnet has an Internet Gateway attached, and it is in the same VPC as the instance hosting the API REST.
python-3.x amazon-web-services aws-lambda vpc
asked Nov 12 at 9:38
Souad
1,81553469
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 at 13:41
|
show 4 more comments
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a lambda function that sends the following request to get the IDs of all instances inside the region:
ec2_client = boto3.client('ec2', os.environ['region'])
response = ec2_client.describe_instances(Filters=[{'Name':'instance-state-name', 'Values': ['pending', 'running','shutting-down','stopping','stopped'],}])
The lambda sends also a get request to an API REST installed inside a VPC and this API is not open to the internet:
resp = requests.get(os.environ['apidsi']+'/persons/emails')
I put my Lambda function inside a VPC so that I can query the API, but when I do that, the lambda times out and it does not access the EC2 instances inside other VPCs. The IAM role has all the necessary permissions :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:*",
"s3:*",
"autoscaling:*",
"cloudwatch:*",
"dynamodb:*"
],
"Resource": "*"
}
]
}
Security group is ok also I guess. So to sum up:
- When I put the lambda function inside a VPC: I can access the
API RESTbut not the VPC resources, the lambda times out - When I don't put the lambda function inside a VPC, the function gets all information about the VPC resources but can't access the API REST: also times out.
How to solve this problem ??
For information: I assigned a public subnet to my Lambda function. This public subnet has an Internet Gateway attached, and it is in the same VPC as the instance hosting the API REST.
python-3.x amazon-web-services aws-lambda vpc
asked Nov 12 at 9:38
Souad
1,81553469
I have a lambda function that sends the following request to get the IDs of all instances inside the region:
ec2_client = boto3.client('ec2', os.environ['region'])
response = ec2_client.describe_instances(Filters=[{'Name':'instance-state-name', 'Values': ['pending', 'running','shutting-down','stopping','stopped'],}])
The lambda sends also a get request to an API REST installed inside a VPC and this API is not open to the internet:
resp = requests.get(os.environ['apidsi']+'/persons/emails')
I put my Lambda function inside a VPC so that I can query the API, but when I do that, the lambda times out and it does not access the EC2 instances inside other VPCs. The IAM role has all the necessary permissions :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:*",
"s3:*",
"autoscaling:*",
"cloudwatch:*",
"dynamodb:*"
],
"Resource": "*"
}
]
}
Security group is ok also I guess. So to sum up:
- When I put the lambda function inside a VPC: I can access the
API RESTbut not the VPC resources, the lambda times out - When I don't put the lambda function inside a VPC, the function gets all information about the VPC resources but can't access the API REST: also times out.
How to solve this problem ??
For information: I assigned a public subnet to my Lambda function. This public subnet has an Internet Gateway attached, and it is in the same VPC as the instance hosting the API REST.
python-3.x amazon-web-services aws-lambda vpc
python-3.x amazon-web-services aws-lambda vpc
asked Nov 12 at 9:38
Souad
1,81553469
asked Nov 12 at 9:38
Souad
1,81553469
edited Nov 12 at 11:31
asked Nov 12 at 9:38
Souad
1,81553469
asked Nov 12 at 9:38
Souad
1,81553469
asked Nov 12 at 9:38
Souad
1,81553469
1,81553469
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 at 13:41
|
show 4 more comments
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 at 13:41
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 at 11:40
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 at 13:08
@TenorFlyy exactly
– Souad
Nov 12 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 at 13:13
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 at 13:39
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 at 13:41
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 at 13:41
|
show 4 more comments
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53259365%2faws-lambda-cant-access-vpc-resources%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53259365%2faws-lambda-cant-access-vpc-resources%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 at 13:41