VPC 中的 AWS Lambda 有时无法访问互联网
AWS Lambda in VPC sometimes doesn't have internet access
我有部署到 VPC 的 Lambda。
此部署有下一个配置:
- 专有网络 (192.168.0.0/16)
- Public 子网 A (192.168.32.0/20) 有 NAT 网关和路由 0.0.0.0/0 到互联网网关
- 私有子网 A (192.168.48.0/20) 有到 NAT 网关的路由 0.0.0.0/0
- 私有子网 B (192.168.64.0/20)
Lambda 有自己的安全组和对 "Private Subnet A" 和 "Private Subnet B"
的引用
我有一个奇怪的问题:有时 Lambda 无法访问互联网。第 3 方服务正常工作。
更奇怪的是,Lambda 获取的 IP 是 127.0.0.1、169.254.76.13、169.254.79.1 而不是来自子网(192.168.48.0/20 和 192.168.64.0/20)的 IP。
错误:
Error: connect ETIMEDOUT x.x.x.x:443
at Object._errnoException (util.js:1022:11)
at _exceptionWithHostPort (util.js:1044:20)
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1198:14)
部署架构:
这里是完整的 CloudFormation 模板:
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Base Infrastructure'
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: 'VPC Parameters'
Parameters:
- VpcId
- InternetGatewayId
Parameters:
VpcId:
Type: String
InternetGatewayId:
Type: String
Resources:
SubnetAPublic:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Sub '192.168.32.0/20'
MapPublicIpOnLaunch: true
VpcId: !Sub '${VpcId}'
SubnetAPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Sub '192.168.48.0/20'
VpcId: !Sub '${VpcId}'
SubnetBPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: !Sub '192.168.64.0/20'
VpcId: !Sub '${VpcId}'
RouteTablePublic:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Sub '${VpcId}'
RouteTablePrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Sub '${VpcId}'
RouteTableBPrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Sub '${VpcId}'
RouteTableAssociationAPublic:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPublic
RouteTableId: !Ref RouteTablePublic
RouteTableAssociationAPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPrivate
RouteTableId: !Ref RouteTablePrivate
RouteTableAssociationBPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetBPrivate
RouteTableId: !Ref RouteTableBPrivate
EIP:
Type: 'AWS::EC2::EIP'
Properties:
Domain: vpc
NatGateway:
Type: 'AWS::EC2::NatGateway'
Properties:
AllocationId: !GetAtt 'EIP.AllocationId'
SubnetId: !Ref SubnetAPublic
RouteTablePublicInternetRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref RouteTablePrivate
DestinationCidrBlock: '0.0.0.0/0'
NatGatewayId: !Ref NatGateway
RouteTablePublicInternetRoute2:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref RouteTablePublic
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Sub '${InternetGatewayId}'
ServerlessSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SecurityGroup for Serverless Functions
VpcId: !Sub '${VpcId}'
ServerlessSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref ServerlessSecurityGroup
IpProtocol: -1
SourceSecurityGroupId: !Ref ServerlessSecurityGroup
知道我做错了什么吗?
P.S.: 我发现了类似的问题AWS VPC Lambda Function keeps losing internet access and Why AWS lambda functions In a VPC sometimes timeout and sometimes work fine?
UPD
已添加路线,现在可以使用了
RouteTableBPrivateInternetRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref RouteTableBPrivate
DestinationCidrBlock: '0.0.0.0/0'
NatGatewayId: !Ref NatGateway
要使 VPC 内的 AWS Lambda 函数 运行 能够访问 VPC 外的资源(例如 Internet),它必须位于具有 NAT 网关的私有子网中。在您的实例中,私有子网 A 是唯一具有适当配置以允许 Lambda 函数访问 Internet 的子网。因此,您需要将 Lambda 函数的配置编辑为仅在该子网中 运行。
您是否已选择 public 子网作为您的 lambda 运行 所在的子网之一?
lambda 只能在 运行 私有子网中访问互联网,因此请转到 AWS 控制台上的 lambda 页面,取消选择 public 子网并保存,问题应该不会再发生了。
我有部署到 VPC 的 Lambda。
此部署有下一个配置:
- 专有网络 (192.168.0.0/16)
- Public 子网 A (192.168.32.0/20) 有 NAT 网关和路由 0.0.0.0/0 到互联网网关
- 私有子网 A (192.168.48.0/20) 有到 NAT 网关的路由 0.0.0.0/0
- 私有子网 B (192.168.64.0/20)
Lambda 有自己的安全组和对 "Private Subnet A" 和 "Private Subnet B"
的引用我有一个奇怪的问题:有时 Lambda 无法访问互联网。第 3 方服务正常工作。
更奇怪的是,Lambda 获取的 IP 是 127.0.0.1、169.254.76.13、169.254.79.1 而不是来自子网(192.168.48.0/20 和 192.168.64.0/20)的 IP。
错误:
Error: connect ETIMEDOUT x.x.x.x:443
at Object._errnoException (util.js:1022:11)
at _exceptionWithHostPort (util.js:1044:20)
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1198:14)
部署架构:
这里是完整的 CloudFormation 模板:
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'Base Infrastructure'
Metadata:
'AWS::CloudFormation::Interface':
ParameterGroups:
- Label:
default: 'VPC Parameters'
Parameters:
- VpcId
- InternetGatewayId
Parameters:
VpcId:
Type: String
InternetGatewayId:
Type: String
Resources:
SubnetAPublic:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Sub '192.168.32.0/20'
MapPublicIpOnLaunch: true
VpcId: !Sub '${VpcId}'
SubnetAPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: !Sub '192.168.48.0/20'
VpcId: !Sub '${VpcId}'
SubnetBPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select [1, !GetAZs '']
CidrBlock: !Sub '192.168.64.0/20'
VpcId: !Sub '${VpcId}'
RouteTablePublic:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Sub '${VpcId}'
RouteTablePrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Sub '${VpcId}'
RouteTableBPrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Sub '${VpcId}'
RouteTableAssociationAPublic:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPublic
RouteTableId: !Ref RouteTablePublic
RouteTableAssociationAPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPrivate
RouteTableId: !Ref RouteTablePrivate
RouteTableAssociationBPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetBPrivate
RouteTableId: !Ref RouteTableBPrivate
EIP:
Type: 'AWS::EC2::EIP'
Properties:
Domain: vpc
NatGateway:
Type: 'AWS::EC2::NatGateway'
Properties:
AllocationId: !GetAtt 'EIP.AllocationId'
SubnetId: !Ref SubnetAPublic
RouteTablePublicInternetRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref RouteTablePrivate
DestinationCidrBlock: '0.0.0.0/0'
NatGatewayId: !Ref NatGateway
RouteTablePublicInternetRoute2:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref RouteTablePublic
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Sub '${InternetGatewayId}'
ServerlessSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SecurityGroup for Serverless Functions
VpcId: !Sub '${VpcId}'
ServerlessSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref ServerlessSecurityGroup
IpProtocol: -1
SourceSecurityGroupId: !Ref ServerlessSecurityGroup
知道我做错了什么吗?
P.S.: 我发现了类似的问题AWS VPC Lambda Function keeps losing internet access and Why AWS lambda functions In a VPC sometimes timeout and sometimes work fine?
UPD
已添加路线,现在可以使用了
RouteTableBPrivateInternetRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref RouteTableBPrivate
DestinationCidrBlock: '0.0.0.0/0'
NatGatewayId: !Ref NatGateway
要使 VPC 内的 AWS Lambda 函数 运行 能够访问 VPC 外的资源(例如 Internet),它必须位于具有 NAT 网关的私有子网中。在您的实例中,私有子网 A 是唯一具有适当配置以允许 Lambda 函数访问 Internet 的子网。因此,您需要将 Lambda 函数的配置编辑为仅在该子网中 运行。
您是否已选择 public 子网作为您的 lambda 运行 所在的子网之一?
lambda 只能在 运行 私有子网中访问互联网,因此请转到 AWS 控制台上的 lambda 页面,取消选择 public 子网并保存,问题应该不会再发生了。