AWS Lambda can't access VPC resources
I have a lambda function that sends the following request to get the IDs of all instances inside the region:
ec2_client = boto3.client('ec2', os.environ['region'])
response = ec2_client.describe_instances(Filters=[{'Name':'instance-state-name', 'Values': ['pending', 'running','shutting-down','stopping','stopped'],}])
The lambda sends also a get request to an API REST installed inside a VPC and this API is not open to the internet:
resp = requests.get(os.environ['apidsi']+'/persons/emails')
I put my Lambda function inside a VPC so that I can query the API, but when I do that, the lambda times out and it does not access the EC2 instances inside other VPCs. The IAM role has all the necessary permissions :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:*",
"s3:*",
"autoscaling:*",
"cloudwatch:*",
"dynamodb:*"
],
"Resource": "*"
}
]
}
Security group is ok also I guess. So to sum up:
- When I put the lambda function inside a VPC: I can access the
API RESTbut not the VPC resources, the lambda times out - When I don't put the lambda function inside a VPC, the function gets all information about the VPC resources but can't access the API REST: also times out.
How to solve this problem ??
For information: I assigned a public subnet to my Lambda function. This public subnet has an Internet Gateway attached, and it is in the same VPC as the instance hosting the API REST.
python-3.x amazon-web-services aws-lambda vpc
asked Nov 12 '18 at 9:38
SouadSouad
1,82253570
|
show 4 more comments
I have a lambda function that sends the following request to get the IDs of all instances inside the region:
ec2_client = boto3.client('ec2', os.environ['region'])
response = ec2_client.describe_instances(Filters=[{'Name':'instance-state-name', 'Values': ['pending', 'running','shutting-down','stopping','stopped'],}])
The lambda sends also a get request to an API REST installed inside a VPC and this API is not open to the internet:
resp = requests.get(os.environ['apidsi']+'/persons/emails')
I put my Lambda function inside a VPC so that I can query the API, but when I do that, the lambda times out and it does not access the EC2 instances inside other VPCs. The IAM role has all the necessary permissions :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:*",
"s3:*",
"autoscaling:*",
"cloudwatch:*",
"dynamodb:*"
],
"Resource": "*"
}
]
}
Security group is ok also I guess. So to sum up:
- When I put the lambda function inside a VPC: I can access the
API RESTbut not the VPC resources, the lambda times out - When I don't put the lambda function inside a VPC, the function gets all information about the VPC resources but can't access the API REST: also times out.
How to solve this problem ??
For information: I assigned a public subnet to my Lambda function. This public subnet has an Internet Gateway attached, and it is in the same VPC as the instance hosting the API REST.
python-3.x amazon-web-services aws-lambda vpc
asked Nov 12 '18 at 9:38
SouadSouad
1,82253570
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 '18 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 '18 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 '18 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 '18 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 '18 at 13:41
|
show 4 more comments
I have a lambda function that sends the following request to get the IDs of all instances inside the region:
ec2_client = boto3.client('ec2', os.environ['region'])
response = ec2_client.describe_instances(Filters=[{'Name':'instance-state-name', 'Values': ['pending', 'running','shutting-down','stopping','stopped'],}])
The lambda sends also a get request to an API REST installed inside a VPC and this API is not open to the internet:
resp = requests.get(os.environ['apidsi']+'/persons/emails')
I put my Lambda function inside a VPC so that I can query the API, but when I do that, the lambda times out and it does not access the EC2 instances inside other VPCs. The IAM role has all the necessary permissions :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:*",
"s3:*",
"autoscaling:*",
"cloudwatch:*",
"dynamodb:*"
],
"Resource": "*"
}
]
}
Security group is ok also I guess. So to sum up:
- When I put the lambda function inside a VPC: I can access the
API RESTbut not the VPC resources, the lambda times out - When I don't put the lambda function inside a VPC, the function gets all information about the VPC resources but can't access the API REST: also times out.
How to solve this problem ??
For information: I assigned a public subnet to my Lambda function. This public subnet has an Internet Gateway attached, and it is in the same VPC as the instance hosting the API REST.
python-3.x amazon-web-services aws-lambda vpc
asked Nov 12 '18 at 9:38
SouadSouad
1,82253570
I have a lambda function that sends the following request to get the IDs of all instances inside the region:
ec2_client = boto3.client('ec2', os.environ['region'])
response = ec2_client.describe_instances(Filters=[{'Name':'instance-state-name', 'Values': ['pending', 'running','shutting-down','stopping','stopped'],}])
The lambda sends also a get request to an API REST installed inside a VPC and this API is not open to the internet:
resp = requests.get(os.environ['apidsi']+'/persons/emails')
I put my Lambda function inside a VPC so that I can query the API, but when I do that, the lambda times out and it does not access the EC2 instances inside other VPCs. The IAM role has all the necessary permissions :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ecs:*",
"ec2:*",
"s3:*",
"autoscaling:*",
"cloudwatch:*",
"dynamodb:*"
],
"Resource": "*"
}
]
}
Security group is ok also I guess. So to sum up:
- When I put the lambda function inside a VPC: I can access the
API RESTbut not the VPC resources, the lambda times out - When I don't put the lambda function inside a VPC, the function gets all information about the VPC resources but can't access the API REST: also times out.
How to solve this problem ??
For information: I assigned a public subnet to my Lambda function. This public subnet has an Internet Gateway attached, and it is in the same VPC as the instance hosting the API REST.
python-3.x amazon-web-services aws-lambda vpc
python-3.x amazon-web-services aws-lambda vpc
asked Nov 12 '18 at 9:38
SouadSouad
1,82253570
asked Nov 12 '18 at 9:38
SouadSouad
1,82253570
edited Nov 12 '18 at 11:31
Souad
asked Nov 12 '18 at 9:38
SouadSouad
1,82253570
asked Nov 12 '18 at 9:38
SouadSouad
1,82253570
asked Nov 12 '18 at 9:38
SouadSouad
1,82253570
1,82253570
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 '18 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 '18 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 '18 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 '18 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 '18 at 13:41
|
show 4 more comments
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 '18 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 '18 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 '18 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 '18 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 '18 at 13:41
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 '18 at 11:40
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 '18 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 '18 at 13:08
@TenorFlyy exactly
– Souad
Nov 12 '18 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 '18 at 13:13
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 '18 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 '18 at 13:39
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 '18 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 '18 at 13:41
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 '18 at 13:41
|
show 4 more comments
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53259365%2faws-lambda-cant-access-vpc-resources%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53259365%2faws-lambda-cant-access-vpc-resources%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
So you want to access resources of one VPC from another, correct?
– AlexK
Nov 12 '18 at 11:40
@TenorFlyy exactly
– Souad
Nov 12 '18 at 13:08
This isn't as straightforward as it may sound though. The two easier solutions are to either us VPC Peering or AWS Direct Connect as listed here aws.amazon.com/answers/networking/… , but I strongly recommend you take the VPC Peering as partially meshed network.
– AlexK
Nov 12 '18 at 13:13
I have 4 VPCs and I want to get information about all instances in all VPCs, so do I need to establish VPC peering with all of these VPCs ? This sounds really anti pattern to do only for a lambda function ..
– Souad
Nov 12 '18 at 13:39
Well, you can either expose your information via API GW or any other tools needed for the job or use the same VPC(this is a real anti pattern here). But either way, it will require some work.
– AlexK
Nov 12 '18 at 13:41