Home > Software engineering >  Possible to close open ingress for a Lambda in private subnet with VPC Endpoint for SQS?
Possible to close open ingress for a Lambda in private subnet with VPC Endpoint for SQS?

Time:03-29

This is essentially the same question as this one. However, the solution utilizing the VPC Endpoint and the solution utilizing the NAT Gateway are not working for me as I describe below.

My setup:

  • Multiple lambdas in private subnet of VPC
  • There is a NAT Gateway in the public subnet that allows the lambdas to connect to the internet and reach an external API (this is working just fine)
  • There is also a VPC Endpoint configured with the correct URL "com.amazonaws.<REGION>.sqs" in the private subnet
  • Security group allows open egress from the lambdas in the private subnet, but does not allow open ingress

I get timeout errors in my Lambas when they try to send to SQS. However, when I modify the security group to allow open ingress, it works!

Questions:

  1. How are security groups meant to be setup for the SQS VPC Endpoint / NAT Gateway solutions for a lambda in a private subnet in a VPC to send to SQS?
  2. Is open ingress a requirement to use VPC Endpoint?
  3. If so, why is it required? To combat this, we tried pulling the ip-ranges (here) from AWS but there are no SQS-specific IPs so we are forced to get all of them in the region and add to a security group (or multiple, since there are a significant number of them).

CodePudding user response:

  1. How are security groups meant to be setup for the SQS VPC Endpoint / NAT Gateway solutions for a lambda in a private subnet in a VPC to send to SQS?

The VPC endpoint should have a security group that allows ingress from the security group that is assigned to the Lambda function.

  1. Is open ingress a requirement to use VPC Endpoint?

The whole point of a VPC endpoint is to allow connections to be sent to the endpoint, that will then be forwarded to the service that exists outside the VPC. If you don't allow any ingress connections to the VPC endpoint then the endpoint will not work.

  1. If so, why is it required? To combat this, we tried pulling the ip-ranges (here) from AWS but there are no SQS-specific IPs so we are forced to get all of them in the region and add to a security group (or multiple, since there are a significant number of them).

Why would you add SQS IPs as ingress to the SQS VPC endpoint? I'm starting to wonder if you are mixing ingress and egress. You said your Lambda function is trying to send to SQS. Sending is egress. The Lambda function needs a security group that allows egress to SQS.

The VPC Endpoint needs to accept traffic from the Lambda function. The traffic from the Lambda function is considered ingress traffic to the VPC endpoint.

For a Lambda function to send an SQS message via a VPC Endpoint you need the following security groups:

Lambda Function Security Group:

ingress: none

egress: port 443 to the VPC Endpoint's security group, or just (all)

VPC Endpoint's Security Group:

ingress: port 443 from the Lambda function's security group

egress: (all)

  • Related