1. 首页
  2. 问答
  3. VPC中的AWS Lambda无法访问NAT后的Internet访问

VPC中的AWS Lambda无法访问NAT后的Internet访问

2017-03-01 139 views
1

我的问题是,我在具有IGW的VPC内运行的Lambda函数无法访问Internet中的任何内容。VPC中的AWS Lambda无法访问NAT后的Internet访问

我试图做的是创造具有VPC:

  • 互联网网关;
  • 2个私有子网(PrivateAPrivateB)分别位于可用区域AB;在可用区域A
  • NAT网关在PublicA子网
  • 1公用子网(PublicA
  • PrivateAPrivateB有一个路由表中的路由0.0.0.0/0到NAT网关。
  • PublicA有一个路由表,将0.0.0.0/0路由到Internet网关。
  • 私有子网以及公有子网具有允许所有入站和出站流量的访问控制列表。

那部分作品。

接下来,我想在VPC中创建一个Lambda函数。我把它放入PrivateAPrivateB,并为它分配一个安全组,允许所有出口和入口流量。

下面是一个独立的示例(整个模板),它重现了问题。我已经阅读了互联网上所有可能的文档和文章,所以如果有人能指出我的正确方向,我将非常感激。

{ 
    "AWSTemplateFormatVersion": "2010-09-09", 
    "Resources": { 

    "Vpc": { 
     "Type": "AWS::EC2::VPC", 
     "Properties": { 
     "CidrBlock": "10.0.0.0/16", 
     "EnableDnsSupport": true, 
     "EnableDnsHostnames": true, 
     "InstanceTenancy": "default" 
     } 
    }, 

    "InternetGateway": { 
     "Type": "AWS::EC2::InternetGateway" 
    }, 

    "VpcGatewayAttachment": { 
     "Type": "AWS::EC2::VPCGatewayAttachment", 
     "Properties": { 
     "VpcId": { "Ref": "Vpc" }, 
     "InternetGatewayId": { "Ref": "InternetGateway" } 
     } 
    }, 

    "ElasticIP":{ 
     "Type": "AWS::EC2::EIP", 
     "Properties": { 
     "Domain": "vpc" 
     } 
    }, 

    "NatGateway": { 
     "Type": "AWS::EC2::NatGateway", 
     "DependsOn": [ "VpcGatewayAttachment" ], 
     "Properties": { 
     "AllocationId": { "Fn::GetAtt": [ "ElasticIP", "AllocationId" ] }, 
     "SubnetId": { "Ref": "SubnetAPublic" } 
     } 
    }, 

    "SubnetAPublic": { 
     "Type": "AWS::EC2::Subnet", 
     "Properties": { 
     "AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ] }, 
     "CidrBlock": "10.0.0.0/19", 
     "MapPublicIpOnLaunch": true, 
     "VpcId": { "Ref": "Vpc" } 
     } 
    }, 

    "SubnetAPrivate": { 
     "Type": "AWS::EC2::Subnet", 
     "Properties": { 
     "AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ] }, 
     "CidrBlock": "10.0.64.0/19", 
     "VpcId": { "Ref": "Vpc" } 
     } 
    }, 

    "SubnetBPrivate": { 
     "Type": "AWS::EC2::Subnet", 
     "Properties": { 
     "AvailabilityZone": { "Fn::Select" : [ "1", { "Fn::GetAZs" : "" } ] }, 
     "CidrBlock": "10.0.96.0/19", 
     "VpcId": { "Ref": "Vpc" } 
     } 
    }, 

    "RouteTablePublic": { 
     "Type": "AWS::EC2::RouteTable", 
     "Properties": { 
     "VpcId": { "Ref": "Vpc" } 
     } 
    }, 

    "RouteTablePrivate": { 
     "Type": "AWS::EC2::RouteTable", 
     "Properties": { 
     "VpcId": { "Ref": "Vpc" } 
     } 
    }, 

    "RouteTableAssociationAPublic": { 
     "Type": "AWS::EC2::SubnetRouteTableAssociation", 
     "Properties": { 
     "SubnetId": { "Ref": "SubnetAPublic" }, 
     "RouteTableId": { "Ref": "RouteTablePublic" } 
     } 
    }, 

    "RouteTableAssociationAPrivate": { 
     "Type": "AWS::EC2::SubnetRouteTableAssociation", 
     "Properties": { 
     "SubnetId": { "Ref": "SubnetAPrivate" }, 
     "RouteTableId": { "Ref": "RouteTablePrivate" } 
     } 
    }, 

    "RouteTableAssociationBPrivate": { 
     "Type": "AWS::EC2::SubnetRouteTableAssociation", 
     "Properties": { 
     "SubnetId": { "Ref": "SubnetBPrivate" }, 
     "RouteTableId": { "Ref": "RouteTablePrivate" } 
     } 
    }, 

    "RouteTablePrivateInternetRoute": { 
     "Type": "AWS::EC2::Route", 
     "DependsOn": [ "VpcGatewayAttachment" ], 
     "Properties": { 
     "RouteTableId": { "Ref": "RouteTablePrivate" }, 
     "DestinationCidrBlock": "0.0.0.0/0", 
     "NatGatewayId": { "Ref": "NatGateway" } 
     } 
    }, 

    "RouteTablePublicInternetRoute": { 
     "Type": "AWS::EC2::Route", 
     "DependsOn": [ "VpcGatewayAttachment" ], 
     "Properties": { 
     "RouteTableId": { "Ref": "RouteTablePublic" }, 
     "DestinationCidrBlock": "0.0.0.0/0", 
     "GatewayId": { "Ref": "InternetGateway" } 
     } 
    }, 

    "NetworkAclPublic": { 
     "Type": "AWS::EC2::NetworkAcl", 
     "Properties": { 
     "VpcId": { "Ref": "Vpc" } 
     } 
    }, 

    "NetworkAclPrivate": { 
     "Type": "AWS::EC2::NetworkAcl", 
     "Properties": { 
     "VpcId": { "Ref": "Vpc" } 
     } 
    }, 

    "SubnetNetworkAclAssociationAPublic": { 
     "Type": "AWS::EC2::SubnetNetworkAclAssociation", 
     "Properties":{ 
     "SubnetId": { "Ref": "SubnetAPublic" }, 
     "NetworkAclId": { "Ref": "NetworkAclPublic" } 
     } 
    }, 

    "SubnetNetworkAclAssociationAPrivate": { 
     "Type": "AWS::EC2::SubnetNetworkAclAssociation", 
     "Properties":{ 
     "SubnetId": { "Ref": "SubnetAPrivate" }, 
     "NetworkAclId": { "Ref": "NetworkAclPrivate" } 
     } 
    }, 

    "SubnetNetworkAclAssociationBPrivate": { 
     "Type": "AWS::EC2::SubnetNetworkAclAssociation", 
     "Properties": { 
     "SubnetId": { "Ref": "SubnetBPrivate" }, 
     "NetworkAclId": { "Ref": "NetworkAclPrivate" } 
     } 
    }, 

    "NetworkAclEntryInPublicAllowAll": { 
     "Type": "AWS::EC2::NetworkAclEntry", 
     "Properties": { 
     "NetworkAclId": { "Ref": "NetworkAclPublic" }, 
     "RuleNumber": 99, 
     "Protocol": -1, 
     "RuleAction": "allow", 
     "Egress": false, 
     "CidrBlock": "0.0.0.0/0" 
     } 
    }, 

    "NetworkAclEntryOutPublicAllowAll": { 
     "Type": "AWS::EC2::NetworkAclEntry", 
     "Properties": { 
     "NetworkAclId": { "Ref": "NetworkAclPublic" }, 
     "RuleNumber": 99, 
     "Protocol": -1, 
     "RuleAction": "allow", 
     "Egress": true, 
     "CidrBlock": "0.0.0.0/0" 
     } 
    }, 

    "NetworkAclEntryInPrivateAllowVpc": { 
     "Type": "AWS::EC2::NetworkAclEntry", 
     "Properties": { 
     "NetworkAclId": { "Ref": "NetworkAclPrivate" }, 
     "RuleNumber": 99, 
     "Protocol": -1, 
     "RuleAction": "allow", 
     "Egress": false, 
     "CidrBlock": "0.0.0.0/16" 
     } 
    }, 

    "NetworkAclEntryOutPrivateAllowVpc": { 
     "Type": "AWS::EC2::NetworkAclEntry", 
     "Properties": { 
     "NetworkAclId": { "Ref": "NetworkAclPrivate" }, 
     "RuleNumber": 99, 
     "Protocol": -1, 
     "RuleAction": "allow", 
     "Egress": true, 
     "CidrBlock": "0.0.0.0/0" 
     } 
    }, 

    "LambdasSecurityGroup": { 
     "Type": "AWS::EC2::SecurityGroup", 
     "Properties": { 
     "GroupDescription": "Lambdas security group", 
     "SecurityGroupEgress": [ 
      { "CidrIp": "0.0.0.0/0", "IpProtocol": "-1" } 
     ], 
     "SecurityGroupIngress": [ 
      { "CidrIp": "0.0.0.0/0", "IpProtocol": "-1" } 
     ], 
     "VpcId": { "Ref": "Vpc" } 
     } 
    }, 

    "LambdaFunctionExecutionRole": { 
     "Type": "AWS::IAM::Role", 
     "Properties": { 
     "AssumeRolePolicyDocument": { 
      "Version": "2012-10-17", 
      "Statement": [ 
      { 
       "Effect": "Allow", 
       "Principal": { "Service": "lambda.amazonaws.com" }, 
       "Action": "sts:AssumeRole" 
      } 
      ] 
     }, 
     "ManagedPolicyArns": [ 
      "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", 
      "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" 
     ] 
     } 
    }, 

    "LambdaFunction": { 
     "Type": "AWS::Lambda::Function", 
     "Properties": { 
     "Handler": "index.lambda_handler", 
     "Runtime": "python2.7", 
     "Role": { 
      "Fn::GetAtt": ["LambdaFunctionExecutionRole", "Arn"] 
     }, 
     "Code": { 
      "ZipFile": { 
      "Fn::Join": ["\n", [ 
       "import urllib2", 
       "def lambda_handler(event, context):", 
       "\tresponse = urllib2.urlopen('http://python.org/')", 
       "\treturn response.read()" 
      ]] 
      } 
     }, 
     "VpcConfig": { 
      "SecurityGroupIds": [ 
      { "Fn::GetAtt": [ "LambdasSecurityGroup", "GroupId"] } 
      ], 
      "SubnetIds": [ 
      { "Ref": "SubnetAPrivate" }, 
      { "Ref": "SubnetBPrivate" } 
      ] 
     } 
     } 
    } 
    } 
}

来源

2017-03-01 ILya

+2

您是否测试过私有子网中的EC2实例是否可以访问Internet? –

回答

3

失败连接的原因在于您的ACL配置为“NetworkAclEntryInPrivateAllowVpc”和“NetworkAclEntryOutPrivateAllowVpc”内。

如果将CIDR块从“0.0.0.0/16”打开到“0.0.0.0/0”,则Lambda可以访问Internet。

我对NAT不太了解,但似乎NAT流量已被该ACL规则阻止。

来源

2017-03-01 14:43:17

+0

哈哈,我一整天都在与它斗争,并停止注意那些简单的事情,如错字。应该是'/ 0'。它修复了这个问题,谢谢。将尝试在真正的堆栈上。 – ILya

相关问题

 相关问题