There are two applications. One application is developed through AWS Lambda (present in Account A) and other application is deployed in ECS Fargate (present in Account B) in AWS.
The first application (AWS Lambda) is consuming an API (from the second application ECS Fargate). I need to allow the AWS Lambda function to access the ECS application (which is behind Application Load balancer) through the inbound rule in the security group.
Problem is AWS Lambda is not attached to any VPC and both applications are running in separate AWS accounts. How to solve this problem?
Note: It is an internal application not internet facing.
Note : Its internal application not internet facing.
If your ECS application's load balancer scheme is set to internal instead of public, then an AWS Lambda function that is not assigned to a VPC would never be able to access it. You are asking about security group rules, but there is no security group rule that will give something on the Internet access to a resource that is not exposed to the Internet.
Your only option to make this work is to move the Lambda function into a VPC, and establish VPC peering between the two VPCs.
Related
I am trying to trigger code pipeline from lambda using below link got the lambda python code as well.
https://aws.amazon.com/blogs/devops/adding-custom-logic-to-aws-codepipeline-with-aws-lambda-and-amazon-cloudwatch-events/
But somehow while running i am getting exception as
Connect timeout on endpoint URL "https://codepipeline.ap-southeast-2.amazonaws.com/"
I have opened all traffic using security group attached to lambda.
Please suggest what else to check here.
Thanks
Sharad
You are running your Lambda function in a VPC (as evidenced by the fact that you said it has a security group attached). A Lambda function in a VPC cannot access anything outside the VPC without a route to a NAT Gateway. A Lambda function in a VPC never gets a public IP assigned to it, so it can never use a VPC Internet Gateway directly. Thus to access anything outside your VPC, such as the AWS API to trigger a CodePipeline run, the Lambda function needs to be deployed only in subnets of your VPC that have a route to a NAT Gateway.
The alternative would be to add a VPC Endpoint for the specific AWS Service you want to access.
When I'm moving my AWS Lambda function inside an RDS MySQL VPC, then the API Gateway cannot call it and timeouts. Is it possible to call a VPC Lambda from API Gateway?
VPC Links cannot be created with Application Load Balancers that is the only choice for a Lambda function, they need Network Load Balancers.
Are you sure that it's not your lambda that is timing out. API Gateway has no problem calling Lambda functions that are configured to run inside a VPC.
Consider using a VPC service endpoint for KMS and/or other services you need if you need your lambda to run in a VPC. Depending on the services this might be cheaper than a NAT gateway.
hello I want to call a api which is hoisted in Apache server on AWS EC2 server from my lambda function.
I have configured VPC for my lambda function according to my EC2 server instance with same security groups and same zone ,but still no luck.
Thanks in advance.
It appears that your situation is:
You want to make an HTTP/S API call from an AWS Lambda function to an Amazon EC2 instance
The Lambda function has been configured to connect to the same VPC as the EC2 instance
The Lambda function is reporting that it is unable to connect to the EC2 instance
I would recommend:
Create a Security Group (let's call it Lambda-SG) in the same VPC. It does not need any rules.
Configured the Lambda function to use the Security Group (in the Network section)
Create another Security Group (let's call it EC2-SG) and associate it with the EC2 instance. Add a rule that permits inbound access on the desired port, with the source set to ID of Lambda-SG.
That is the EC2-SG is saying that it will accept inbound connects from Lambda-SG on the desired port.
Merely putting resources in the same security group does not necessarily mean they can communicate. There needs to be a specific rule that permits the inbound access. The above method is the best way to do so.
I am running AWS Lambda functions in a VPC.
And during the course of the project I have hit problems because:
no access to my database - had to solve this somehow
no access to AWS SES - had to find workaround
no access to AWS SQS -removed all queuing functionality from Lambda functions
no access to external Internet - still don't know how to implement ReCapthca
without Internet access
no access to AWS Cognito - cannot get
information about logged in users
I COULD implement a NAT gateway in the VPC but what is the point of serverless if I have to run a NAT server instance? That's not serverless.
So finally AWS has worn me down and I have decided to give up on running my AWS Lambda functions in a VPC - without endpoints for Internet proxying and the various AWS services its just too hard.
SO my question is - what is the downside/disadvantage of running my AWS Lambda functions with no VPC?
If you need access to resources within a VPC, then run your AWS Lambda function within a VPC. If you do not require this access, then do not run it within a VPC.
If you require Internet access, then you should connect your Lambda functions to a Private Subnet and use a NAT Gateway, which is a fully-managed NAT so you can remain serverless. It will solve the problems you listed.
AWS has provided a reference document for Lambda deployments: Serverless Application Lens, AWS Well-Architected Framework. In it they provide the following decision tree:
The only major downside noted is that a Lambda outside of a VPC cannot directly access private resources within a VPC.
One reason to create a Lambda in a VPC would be that you have a specific IP or IP range for it. This could be the case if a system just accepts calls from a specific IP which would need to be whitlistet for it.
Fix IP for Lambda function is discussed here: Is there a way to assign a Static IP to a AWS Lambda without VPC?
Downside of not having Lambda in VPC: Not having specific IP / IP-range for your Lambda function.
In the end I stayed with the VPC but I added an EC2 instance into the VPC and ran TinyProxy on it. I then configured my AWS Lambda functions with the environment variable:
HTTPS_PROXY https://ip-10-0-1-53.eu-west-1.compute.internal:8888
boto3 picked up the environment variable and sent all requests to the proxy. This seems to work fine without the complexity of a NAT gateway.
I am running into a security related issue with AWS lambda and not sure what is the right way to resolve this.
Consider an EC2 instance A accessing the database on another EC2 instance B. If I want to restrict the accessibility of the DB on instance B to instance A only, I would modify the security group and add a custom TCP rule to allow access to only the public IP of instance A. So, this way, AWS will take care of everything and the DB server will not be accessible from any other IP address.
Now let us replace instance A by a lambda function. Since it is no longer an instance, there is no definite IP address. So, how do I restrict access to only the lambda function and block any other traffic ?
Have the Lambda job determine its IP, and dynamically update the instance B security group, then reset the security group when done.
Until there is support for Lambda running within a VPC this is the only option. Support for that has been announced for later this year. The following quote is from the referenced link above.
Many AWS customers host microservices within a Amazon Virtual Private
Cloud and would like to be able to access them from their Lambda
functions. Perhaps they run a MongoDB cluster with lookup data, or
want to use Amazon ElastiCache as a stateful store for Lambda
functions, but don’t want to expose these resources to the Internet.
You will soon be able to access resources of this type by setting up
one or more security groups within the target VPC, configure them to
accept inbound traffic from Lambda, and attach them to the target VPC
subnets. Then you will need to specify the VPC, the subnets, and the
security groups when your create your Lambda function (you can also
add them to an existing function). You’ll also need to give your
function permission (via its IAM role) to access a couple of EC2
functions related to Elastic Networking.
This feature will be available later this year. I’ll have more info
(and a walk-through) when we launch it.
I believe the below link will explain lambda permission model for you.
http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html