2017-11-17 200 views
0

我的Lambda函数可以访问VPC中的其他资源,但一旦它尝试向Internet发出请求,它就会超时。我有以下几点:VPC中的Lambda函数无法访问Internet

  • 两个专用子网
  • 路由表的路由0.0.0.0/0互联网网关。
  • 一对夫妇的ACL规则和LAMBDA安全组

任何帮助将是有益的。这里是我的CF模板:

AWSTemplateFormatVersion: 2010-09-09 
Description: VPC Stack 
Resources: 
    VPC: 
    Type: 'AWS::EC2::VPC' 
    Properties: 
     CidrBlock: 10.0.0.0/16 
     EnableDnsHostnames: true 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Subnet1: 
    Type: 'AWS::EC2::Subnet' 
    Properties: 
     VpcId: !Ref VPC 
     CidrBlock: 10.0.3.0/24 
     AvailabilityZone: 'us-east-1b' 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Subnet2: 
    Type: 'AWS::EC2::Subnet' 
    Properties: 
     VpcId: !Ref VPC 
     CidrBlock: 10.0.4.0/24 
     AvailabilityZone: 'us-east-1e' 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    InternetGateway: 
    Type: 'AWS::EC2::InternetGateway' 
    Properties: 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    AttachGateway: 
    Type: 'AWS::EC2::VPCGatewayAttachment' 
    Properties: 
     VpcId: !Ref VPC 
     InternetGatewayId: !Ref InternetGateway 
    RouteTable: 
    Type: 'AWS::EC2::RouteTable' 
    Properties: 
     VpcId: !Ref VPC 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Route: 
    Type: 'AWS::EC2::Route' 
    DependsOn: AttachGateway 
    Properties: 
     RouteTableId: !Ref RouteTable 
     DestinationCidrBlock: 0.0.0.0/0 
     GatewayId: !Ref InternetGateway 
    SubnetRouteTableAssociation1: 
    Type: 'AWS::EC2::SubnetRouteTableAssociation' 
    Properties: 
     SubnetId: !Ref Subnet1 
     RouteTableId: !Ref RouteTable 
    SubnetRouteTableAssociation2: 
    Type: 'AWS::EC2::SubnetRouteTableAssociation' 
    Properties: 
     SubnetId: !Ref Subnet2 
     RouteTableId: !Ref RouteTable 
    NetworkAcl: 
    Type: 'AWS::EC2::NetworkAcl' 
    Properties: 
     VpcId: !Ref VPC 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    InboundHTTPNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '100' 
     Protocol: '6' 
     RuleAction: allowAWSTemplateFormatVersion: 2010-09-09 
Description: VPC Stack 
Resources: 
    VPC: 
    Type: 'AWS::EC2::VPC' 
    Properties: 
     CidrBlock: 10.0.0.0/16 
     EnableDnsHostnames: true 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Subnet1: 
    Type: 'AWS::EC2::Subnet' 
    Properties: 
     VpcId: !Ref VPC 
     CidrBlock: 10.0.3.0/24 
     AvailabilityZone: 'us-east-1b' 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Subnet2: 
    Type: 'AWS::EC2::Subnet' 
    Properties: 
     VpcId: !Ref VPC 
     CidrBlock: 10.0.4.0/24 
     AvailabilityZone: 'us-east-1e' 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    InternetGateway: 
    Type: 'AWS::EC2::InternetGateway' 
    Properties: 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    AttachGateway: 
    Type: 'AWS::EC2::VPCGatewayAttachment' 
    Properties: 
     VpcId: !Ref VPC 
     InternetGatewayId: !Ref InternetGateway 
    RouteTable: 
    Type: 'AWS::EC2::RouteTable' 
    Properties: 
     VpcId: !Ref VPC 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Route: 
    Type: 'AWS::EC2::Route' 
    DependsOn: AttachGateway 
    Properties: 
     RouteTableId: !Ref RouteTable 
     DestinationCidrBlock: 0.0.0.0/0 
     GatewayId: !Ref InternetGateway 
    SubnetRouteTableAssociation1: 
    Type: 'AWS::EC2::SubnetRouteTableAssociation' 
    Properties: 
     SubnetId: !Ref Subnet1 
     RouteTableId: !Ref RouteTable 
    SubnetRouteTableAssociation2: 
    Type: 'AWS::EC2::SubnetRouteTableAssociation' 
    Properties: 
     SubnetId: !Ref Subnet2 
     RouteTableId: !Ref RouteTable 
    NetworkAcl: 
    Type: 'AWS::EC2::NetworkAcl' 
    Properties: 
     VpcId: !Ref VPC 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    InboundHTTPNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '100' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '80' 
     To: '80' 
    InboundSSHNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '101' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '22' 
     To: '22' 
    InboundResponsePortsNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '102' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '1024' 
     To: '65535' 
    OutBoundNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '103' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'true' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '0' 
     To: '65535' 
    SubnetNetworkAclAssociation1: 
    Type: 'AWS::EC2::SubnetNetworkAclAssociation' 
    Properties: 
     SubnetId: !Ref Subnet1 
     NetworkAclId: !Ref NetworkAcl 
    SubnetNetworkAclAssociation2: 
    Type: 'AWS::EC2::SubnetNetworkAclAssociation' 
    Properties: 
     SubnetId: !Ref Subnet2 
     NetworkAclId: !Ref NetworkAcl 
    LambdaSecurityGroup: 
     Type: AWS::EC2::SecurityGroup 
     Properties: 
      VpcId: !Ref VPC 
      GroupDescription: Access to Lambda functions 
      SecurityGroupIngress: 
      - CidrIp: 0.0.0.0/0 
       IpProtocol: -1 
     SecurityGroupEgress: 
      - CidrIp: 0.0.0.0/0 
       IpProtocol: -1 
Outputs: 
    VpcId: 
    Description: VPC ID 
    Value: !Ref VPC 
    Export: 
     Name: !Sub "Portal-VpcId" 
    Subnet1: 
    Description: Subnet ID 1 
    Value: !Ref Subnet1 
    Export: 
     Name: !Sub "Portal-SubnetID1" 
    Subnet2: 
    Description: Subnet ID 2 
    Value: !Ref Subnet2 
    Export: 
     Name: !Sub "Portal-SubnetID2"  
    LambdaSecurityGroup: 
    Description: Access to Lambda functions 
    Value: !Ref LambdaSecurityGroup 
    Export: 
     Name: !Sub "LambdaSecurityGroup"  
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '80' 
     To: '80' 
    InboundResponsePortsNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '102' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '1024' 
     To: '65535' 
    OutBoundNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '103' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'true' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '0' 
     To: '65535' 
    SubnetNetworkAclAssociation1: 
    Type: 'AWS::EC2::SubnetNetworkAclAssociation' 
    Properties: 
     SubnetId: !Ref Subnet1 
     NetworkAclId: !Ref NetworkAcl 
    SubnetNetworkAclAssociation2: 
    Type: 'AWS::EC2::SubnetNetworkAclAssociation' 
    Properties: 
     SubnetId: !Ref Subnet2 
     NetworkAclId: !Ref NetworkAcl 
    LambdaSecurityGroup: 
     Type: AWS::EC2::SecurityGroup 
     Properties: 
      VpcId: !Ref VPC 
      GroupDescription: Access to Lambda functions 
      SecurityGroupIngress: 
      - CidrIp: 0.0.0.0/0 
       IpProtocol: -1 
      SecurityGroupEgress: 
      - CidrIp: 0.0.0.0/0 
       IpProtocol: -1 
Outputs: 
    VpcId: 
    Description: VPC ID 
    Value: !Ref VPC 
    Export: 
     Name: !Sub "Portal-VpcId" 
    Subnet1: 
    Description: Subnet ID 1 
    Value: !Ref Subnet1 
    Export: 
     Name: !Sub "Portal-SubnetID1" 
    Subnet2: 
    Description: Subnet ID 2 
    Value: !Ref Subnet2 
    Export: 
     Name: !Sub "Portal-SubnetID2"  
    LambdaSecurityGroup: 
    Description: Access to Lambda functions 
    Value: !Ref LambdaSecurityGroup 
    Export: 
     Name: !Sub "LambdaSecurityGroup"  

CF模板2:

​​
+1

看到的是https将所有向外的连接://aws.amazon .com/premiumsupport/knowledge-center/internet-access-lambda-function/ – jarmod

回答

2

在VPC内部执行Lambda函数时,Lambda函数将只接收私有IP地址。它不会收到公共IP地址。

为了任何AWS服务器通过互联网网关来访问公共互联网,它必须:

  1. 有一个公网IP地址,并
  2. 在一个公共子网(即一个子网。直接访问互联网网关)

由于您的Lambda函数没有该公共IP地址,因此它无法访问互联网,即使它位于公有子网中。

要解决此问题,您必须在专用子网中执行Lambda函数。这是一个子网:

  1. 没有到Internet网关的直接访问,并
  2. 通过NAT实例或NAT网关
2

您通过NAT实例需要途径,如果你想拉姆达与Internet进行通信。

向您现有的VPC子网添加两个子网和一个NAT网关。然后,在新的子网中设置路由表,通过NAT路由Internet。

+1

@DominickPiganell - 澄清为什么* Chris *说你还需要两个子网:当子网路由到Internet网关时,它是一个_public_子网。专用子网不通过IGW路由,但可能通过NAT网关(与NAT实例不同)路由。 – kdgregory