VPC中的Lambda函数无法访问Internet
问题描述:
我的Lambda函数可以访问VPC中的其他资源,但一旦它尝试向Internet发出请求,它就会超时。我有以下几点:VPC中的Lambda函数无法访问Internet
- 两个专用子网
- 路由表的路由0.0.0.0/0互联网网关。
- 一对夫妇的ACL规则和LAMBDA安全组
任何帮助将是有益的。这里是我的CF模板:
AWSTemplateFormatVersion: 2010-09-09
Description: VPC Stack
Resources:
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
Subnet1:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.3.0/24
AvailabilityZone: 'us-east-1b'
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
Subnet2:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.4.0/24
AvailabilityZone: 'us-east-1e'
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
InternetGateway:
Type: 'AWS::EC2::InternetGateway'
Properties:
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
AttachGateway:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
RouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
Route:
Type: 'AWS::EC2::Route'
DependsOn: AttachGateway
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
SubnetRouteTableAssociation1:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref Subnet1
RouteTableId: !Ref RouteTable
SubnetRouteTableAssociation2:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref Subnet2
RouteTableId: !Ref RouteTable
NetworkAcl:
Type: 'AWS::EC2::NetworkAcl'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
InboundHTTPNetworkAclEntry:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAcl
RuleNumber: '100'
Protocol: '6'
RuleAction: allowAWSTemplateFormatVersion: 2010-09-09
Description: VPC Stack
Resources:
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
Subnet1:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.3.0/24
AvailabilityZone: 'us-east-1b'
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
Subnet2:
Type: 'AWS::EC2::Subnet'
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.4.0/24
AvailabilityZone: 'us-east-1e'
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
InternetGateway:
Type: 'AWS::EC2::InternetGateway'
Properties:
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
AttachGateway:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
RouteTable:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
Route:
Type: 'AWS::EC2::Route'
DependsOn: AttachGateway
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
SubnetRouteTableAssociation1:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref Subnet1
RouteTableId: !Ref RouteTable
SubnetRouteTableAssociation2:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref Subnet2
RouteTableId: !Ref RouteTable
NetworkAcl:
Type: 'AWS::EC2::NetworkAcl'
Properties:
VpcId: !Ref VPC
Tags:
- Key: Application
Value: !Ref 'AWS::StackId'
InboundHTTPNetworkAclEntry:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAcl
RuleNumber: '100'
Protocol: '6'
RuleAction: allow
Egress: 'false'
CidrBlock: 0.0.0.0/0
PortRange:
From: '80'
To: '80'
InboundSSHNetworkAclEntry:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAcl
RuleNumber: '101'
Protocol: '6'
RuleAction: allow
Egress: 'false'
CidrBlock: 0.0.0.0/0
PortRange:
From: '22'
To: '22'
InboundResponsePortsNetworkAclEntry:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAcl
RuleNumber: '102'
Protocol: '6'
RuleAction: allow
Egress: 'false'
CidrBlock: 0.0.0.0/0
PortRange:
From: '1024'
To: '65535'
OutBoundNetworkAclEntry:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAcl
RuleNumber: '103'
Protocol: '6'
RuleAction: allow
Egress: 'true'
CidrBlock: 0.0.0.0/0
PortRange:
From: '0'
To: '65535'
SubnetNetworkAclAssociation1:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref Subnet1
NetworkAclId: !Ref NetworkAcl
SubnetNetworkAclAssociation2:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref Subnet2
NetworkAclId: !Ref NetworkAcl
LambdaSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to Lambda functions
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: -1
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
IpProtocol: -1
Outputs:
VpcId:
Description: VPC ID
Value: !Ref VPC
Export:
Name: !Sub "Portal-VpcId"
Subnet1:
Description: Subnet ID 1
Value: !Ref Subnet1
Export:
Name: !Sub "Portal-SubnetID1"
Subnet2:
Description: Subnet ID 2
Value: !Ref Subnet2
Export:
Name: !Sub "Portal-SubnetID2"
LambdaSecurityGroup:
Description: Access to Lambda functions
Value: !Ref LambdaSecurityGroup
Export:
Name: !Sub "LambdaSecurityGroup"
Egress: 'false'
CidrBlock: 0.0.0.0/0
PortRange:
From: '80'
To: '80'
InboundResponsePortsNetworkAclEntry:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAcl
RuleNumber: '102'
Protocol: '6'
RuleAction: allow
Egress: 'false'
CidrBlock: 0.0.0.0/0
PortRange:
From: '1024'
To: '65535'
OutBoundNetworkAclEntry:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAcl
RuleNumber: '103'
Protocol: '6'
RuleAction: allow
Egress: 'true'
CidrBlock: 0.0.0.0/0
PortRange:
From: '0'
To: '65535'
SubnetNetworkAclAssociation1:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref Subnet1
NetworkAclId: !Ref NetworkAcl
SubnetNetworkAclAssociation2:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref Subnet2
NetworkAclId: !Ref NetworkAcl
LambdaSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to Lambda functions
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: -1
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
IpProtocol: -1
Outputs:
VpcId:
Description: VPC ID
Value: !Ref VPC
Export:
Name: !Sub "Portal-VpcId"
Subnet1:
Description: Subnet ID 1
Value: !Ref Subnet1
Export:
Name: !Sub "Portal-SubnetID1"
Subnet2:
Description: Subnet ID 2
Value: !Ref Subnet2
Export:
Name: !Sub "Portal-SubnetID2"
LambdaSecurityGroup:
Description: Access to Lambda functions
Value: !Ref LambdaSecurityGroup
Export:
Name: !Sub "LambdaSecurityGroup"
CF模板2:
答
在VPC内部执行Lambda函数时,Lambda函数将只接收私有IP地址。它不会收到公共IP地址。
为了任何AWS服务器通过互联网网关来访问公共互联网,它必须:
- 有一个公网IP地址,并
- 在一个公共子网(即一个子网。直接访问互联网网关)
由于您的Lambda函数没有该公共IP地址,因此它无法访问互联网,即使它位于公有子网中。
要解决此问题,您必须在专用子网中执行Lambda函数。这是一个子网:
- 没有到Internet网关的直接访问,并
- 通过NAT实例或NAT网关
答
您通过NAT实例需要途径,如果你想拉姆达与Internet进行通信。
向您现有的VPC子网添加两个子网和一个NAT网关。然后,在新的子网中设置路由表,通过NAT路由Internet。
+1
@DominickPiganell - 澄清为什么* Chris *说你还需要两个子网:当子网路由到Internet网关时,它是一个_public_子网。专用子网不通过IGW路由,但可能通过NAT网关(与NAT实例不同)路由。 – kdgregory
看到的是https将所有向外的连接://aws.amazon .com/premiumsupport/knowledge-center/internet-access-lambda-function/ – jarmod