3

I have a cloudformation template:

{
  "AWSTemplateFormatVersion": "2010-09-09",

  "Parameters": {
    "SourcePackageName": {
      "Type": "String"
    }
  },

  "Resources": {
    "VPC": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16"
      }
    },
    "PublicSubnet": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "VpcId": {
          "Ref": "VPC"
        },
        "CidrBlock": "10.0.0.0/24"
      },
      "DependsOn" : "VPC"
    },
    "PrivateSubnet": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "VpcId": {
          "Ref": "VPC"
        },
        "CidrBlock": "10.0.1.0/24"
      },
      "DependsOn" : "VPC"
    },
    "InternetGateway": {
      "Type": "AWS::EC2::InternetGateway"
    },
    "AttachGateway": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "VPC"
        },
        "InternetGatewayId": {
          "Ref": "InternetGateway"
        }
      },
      "DependsOn" : "InternetGateway"
    },
    "PublicRouteTable": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "VpcId": {
          "Ref": "VPC"
        }
      },
      "DependsOn" : "VPC"
    },
    "PrivateRouteTable": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "VpcId": {
          "Ref": "VPC"
        }
      },
      "DependsOn" : "VPC"
    },
    "PublicRoute": {
      "Type": "AWS::EC2::Route",
      "Properties": {
        "RouteTableId": {
          "Ref": "PublicRouteTable"
        },
        "DestinationCidrBlock": "0.0.0.0/0",
        "GatewayId": {
          "Ref": "InternetGateway"
        }
      },
      "DependsOn": ["AttachGateway", "PublicRouteTable", "InternetGateway"]
    },
    "PrivateRoute": {
      "Type": "AWS::EC2::Route",
      "Properties": {
        "RouteTableId": {
          "Ref": "PrivateRouteTable"
        },
        "DestinationCidrBlock": "0.0.0.0/0",
        "NatGatewayId": {
          "Ref": "NatGateway"
        }
      },
      "DependsOn": ["AttachGateway", "PublicRouteTable", "NatGateway"]
    },
    "NatGateway": {
      "Type": "AWS::EC2::NatGateway",
      "Properties": {
        "AllocationId": {
          "Fn::GetAtt": [
            "ElasticIp",
            "AllocationId"
          ]
        },
        "SubnetId": {
          "Ref": "PublicSubnet"
        }
      },
      "DependsOn": ["PublicSubnet", "ElasticIp"]
    },
    "GatewayAttachment": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "VPC"
        },
        "InternetGatewayId": {
          "Ref": "InternetGateway"
        }
      },
      "DependsOn": ["VPC", "InternetGateway"]
    },
    "ElasticIp": {
      "Type": "AWS::EC2::EIP",
      "Properties": {
        "Domain": "vpc"
      },
      "DependsOn": "GatewayAttachment"
    },
    "PublicSubnetRouteTableAssociation": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "SubnetId": {
          "Ref": "PublicSubnet"
        },
        "RouteTableId": {
          "Ref": "PublicRouteTable"
        }
      },
      "DependsOn": ["PublicSubnet", "PublicRouteTable"]
    },
    "PrivateSubnetRouteTableAssociation": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "SubnetId": {
          "Ref": "PrivateSubnet"
        },
        "RouteTableId": {
          "Ref": "PrivateRouteTable"
        }
      },
      "DependsOn": ["PrivateSubnet", "PrivateRouteTable"]
    },

    "LambdaSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "DependsOn": ["VPC"],
      "Properties": {
        "GroupName": "Internet Group",
        "GroupDescription": "SSH traffic in, all traffic out.",
        "VpcId": {  "Ref": "VPC" },
        "SecurityGroupIngress": [
          {
            "IpProtocol": -1,
            "CidrIp": "0.0.0.0/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": -1,
            "CidrIp": "0.0.0.0/0"
          }
        ],
        "Tags": [
          {
            "Key" : "System",
            "Value" : "Feed"
          }
        ]
      }
    },

    "FeedLambdaRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "lambda.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/",
        "Policies": [{
          "PolicyName": "root",
          "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Effect": "Allow",
                "Action": [
                  "logs:*"
                ],
                "Resource": "arn:aws:logs:*:*:*"
              }
            ]
          }
        }],
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
          "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
        ]
      }
    },

    "FeedLambda": {
      "Type": "AWS::Lambda::Function",
      "DependsOn": ["VPC", "LambdaSecurityGroup", "PublicSubnet", "FeedLambdaRole"],
      "Properties": {
        "Code": {
          "S3Bucket": "bucket-name",
          "S3Key": {
            "Fn::Join" : [ "/", [ "directory-name", { "Ref" : "SourcePackageName" }] ] }
        },
        "FunctionName": "Feed",
        "Handler": "java.package.class",
        "MemorySize": 128,
        "Role": { "Fn::GetAtt" : [ "FeedLambdaRole", "Arn" ] },
        "Runtime": "java8",
        "VpcConfig": {
          "SecurityGroupIds": [
            { "Ref": "LambdaSecurityGroup" }
          ],
          "SubnetIds": [
            { "Ref": "PublicSubnet" }
          ]
        }
      }
    }
  }
}

My code executes correctly when executing non internet based code, but when i add the network call within the code it constantly results in timeouts.

I have increased the timeout to 10 seconds to no fix.

Any help would be appreciated.

I utilized the template from here:

https://stackoverthrow.net/2016/12/30/aws-cloudformation-template-for-lambda-access-to-elasticache-redis-private-subnet-and-dynamodb-public-subnet/

Improve this question

1 Answer 1

Reset to default
3

You've placed the Lambda function in the public subnets. A Lambda function inside a VPC has to use a NAT Gateway to access the Internet (and anything else outside the VPC, like the AWS API). The NAT Gateway is attached to the private subnets. You need to change your configuration to deploy the Lambda function into the private subnets.

Alternatively, if your Lambda function doesn't actually need to access anything in the VPC then you can leave it out of the VPC and it will have Internet access. Adding a Lambda function to a VPC makes cold-starts slower and gives no benefit unless you actually need it to access VPC resources.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

So i fixed what you stated and another issue i found was the memory / timeout was causing issues. Giving you credit since what you stated was the correct issue.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.