Why can’t an AWS lambda function inside a public subnet in a VPC connect to the internet?

by

Lambda functions connected to a VPC public subnet cannot typically access the internet.

To access the internet from a public subnet you need a public IP or you need to route via a NAT that itself has a public IP. You also need an Internet Gateway (IGW). However:

  1. Lambda functions do not, and cannot, have public IP addresses, and
  2. the default route target in a VPC public subnet is the IGW, not a NAT

So, because the Lambda function only has a private IP and its traffic is routed to the IGW rather than to a NAT, all packets to the internet from the Lambda function will be dropped at the IGW.

Should I Configure my Lambda Function for VPC Access?

If your Lambda function does not need to reach private resources inside your VPC (e.g. an RDS database or Elasticsearch cluster) then do not configure the Lambda function to connect to the VPC.

If your Lambda function does need to reach private resources inside your VPC, then configure the Lambda function to connect to private subnets (and only private subnets).

NAT or Not?

If the Lambda function only needs access to resources in the VPC (e.g. an RDS database in a private subnet) then you don’t need to route through NAT.

If the Lambda function only needs access to resources in the VPC and access to AWS services that are all available via private VPC Endpoint then you don’t need to route through NAT. Use VPC Endpoints.

If your Lambda function needs to reach endpoints on the internet then ensure a default route from the Lambda function’s private subnets to a NAT instance or NAT Gateway in a public subnet. And configure an IGW, if needed, without which internet access is not possible.

Be aware that NAT gateway charges per hour and per GB processed so it’s worth understanding how to reduce data transfer costs for NAT gateway.

Best Practices

When configuring Lambda functions for VPC access, it is an HA best practice to configure multiple (private) subnets across different Availability Zones (AZs).

Intermittent Connectivity

Be sure that all the subnets you configure for your Lambda function are private subnets. It is a common mistake to configure, for example, 1 private subnet and 1 public subnet. This will result in your Lambda function working OK sometimes and failing at other times without any obvious cause.

For example, the Lambda function may succeed 5 times in a row, and then fail with a timeout (being unable to access some internet resource or AWS service). This happens because the first launch was in a private subnet, launches 2-5 reused the same Lambda function execution environment in the same private subnet (the so-called “warm start”), and then launch 6 was a “cold start” where the AWS Lambda service deployed the Lambda function in a public subnet where the Lambda function has no route to the internet.

More Related Contents:

  1. How to pass a querystring or route parameter to AWS Lambda from Amazon API Gateway
  2. Why do we need private subnet in VPC?
  3. API Gateway – POST multipart/form-data
  4. AWS lambda invoke not calling another lambda function – Node.js
  5. Is there a way to change the http status codes returned by Amazon API Gateway?
  6. AWS Lambda Scheduled Tasks
  7. Getting json body in aws Lambda via API gateway
  8. Allow AWS Lambda to access RDS Database
  9. Is it possible to POST to the SQS url using the post body
  10. AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access
  11. How to access HTTP headers for request to AWS API Gateway using Lambda?
  12. AWS Cognito: Best practice to handle same user (with same email address) signing in from different identity providers (Google, Facebook)
  13. Download an already uploaded Lambda function
  14. Specify log group for an AWS lambda?
  15. Access AWS S3 from Lambda within VPC
  16. Adding AWS Lambda with VPC configuration causes timeout when accessing S3
  17. AWS Lambda NoClassDefFoundError
  18. How to load npm modules in AWS Lambda?
  19. Can you publish a message to an SNS topic using an AWS Lambda function backed by node.js?
  20. Setting http response header from AWS lambda
  21. AWS Lambda Error: Unzipped size must be smaller than 262144000 bytes
  22. Amazon AWS Route 53 Hosted Zone does not work
  23. How to submit Spark jobs to EMR cluster from Airflow?
  24. AWS EFS vs EBS vs S3 (differences & when to use?) [closed]
  25. Deploying react-redux app in AWS S3
  26. How to change permission recursively to folder with AWS s3 or AWS s3api
  27. Difference between upload() and putObject() for uploading a file to S3?
  28. How do I delete a versioned bucket in AWS S3 using the CLI?
  29. AWS Lambda: Task timed out
  30. AWS Java SDK – Unable to find a region via the region provider chain

Leave a Comment