Home > database >  AWS Lambda cannot connect to AWS services in VPC
AWS Lambda cannot connect to AWS services in VPC

Time:06-24

I've a lambda in VPC to access Amazon DocDB, but failed to access any resource in VPC. I've read the official guide for days still didn't fix this issue.

I checked all vpc configurations according to Official Guide but got no luck.

VPC is assigned when creating lambda.

Could anyone give me some help on the lambda configurations ? :)

def access_mongodb(event, context):
    url = event.get('url')

    if url:
        db = event.get('db')
        coll = event.get('collection')
        query = event.get('query')
        limit = int(event.get('limit'))

        try:
            with Mongo(url=url, db=db) as conn:
                logger.info('Lambda Start query with Mongo')
                for row in conn[coll].find(query).limit(limit):
                    logger.info(f'got row => {json.dumps(row, default=str)}')
        except Exception as e:
            logger.error(f'Got exception {e}')

    else:
        logger.info('Lambda End with out Mongo')

Errors:

Got exception No servers found yet, Timeout: 2.0s, Topology Description: <TopologyDescription id: 62b5186720247fb7d69a0765, topology_type: Single, servers: [<ServerDescription ('docdb-test.xxxx-southeast-1.docdb.amazonaws.com', 27017) server_type: Unknown, rtt: None>]>

Configurations:

aws lambda get-function-configuration --function-name hello_py3

{
    "FunctionName": "hello_py3",
    "FunctionArn": "arn:aws:lambda:ap-southeast-1:592017647781:function:hello_py3",
    "Runtime": "python3.9",
    "Role": "arn:aws:iam::592017647781:role/service-role/hello_py3-role-xh39m23g",
    "Handler": "lambda_function.lambda_handler",
    "CodeSize": 5701329,
    "Description": "",
    "Timeout": 10,
    "MemorySize": 128,
    "LastModified": "2022-06-24T01:26:48.000 0000",
    "CodeSha256": "VLwda8fP2DM62/y4Ouy9/U3KpzvfSRWoH7ocCwl1G6g=",
    "Version": "$LATEST",
    "VpcConfig": {
        "SubnetIds": [
            "subnet-08dacd9b6970624aa",
            "subnet-09f80e8227735f6cf",
            "subnet-028392620db2f9753"
        ],
        "SecurityGroupIds": [
            "sg-0002ee69773ca6f9d"
        ],
        "VpcId": "vpc-0eee2636f691ad96b"
    },
    "TracingConfig": {
        "Mode": "PassThrough"
    },
    "RevisionId": "55af10eb-f777-4ba9-aea5-05a010ce7637",
    "State": "Active",
    "LastUpdateStatus": "Successful",
    "PackageType": "Zip",
    "Architectures": [
        "x86_64"
    ],
    "EphemeralStorage": {
        "Size": 512
    }
}

aws iam list-attached-role-policies --role-name hello_py3-role-xh39m23g
{
    "AttachedPolicies": [
        {
            "PolicyName": "AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503",
            "PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaVPCAccessExecutionRole-2400d95b-c83c-4fce-8e12-b1a8c5c4b503"
        },
        {
            "PolicyName": "AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce",
            "PolicyArn": "arn:aws:iam::592017647781:policy/service-role/AWSLambdaBasicExecutionRole-a8dac45b-b9f1-4eab-8170-2c9b9f9358ce"
        }
    ]
}

aws ec2 describe-vpcs --vpc-ids vpc-0eee2636f691ad96b

{
    "Vpcs": [
        {
            "CidrBlock": "172.31.0.0/16",
            "DhcpOptionsId": "dopt-0b9edd5b6deafa0db",
            "State": "available",
            "VpcId": "vpc-0eee2636f691ad96b",
            "OwnerId": "592017647781",
            "InstanceTenancy": "default",
            "CidrBlockAssociationSet": [
                {
                    "AssociationId": "vpc-cidr-assoc-0200675b36f061104",
                    "CidrBlock": "172.31.0.0/16",
                    "CidrBlockState": {
                        "State": "associated"
                    }
                }
            ],
            "IsDefault": true
        }
    ]
}

aws ec2 describe-security-groups --group-ids sg-0002ee69773ca6f9d
{
    "SecurityGroups": [
        {
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [
                {
                    "FromPort": 80,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 80,
                    "UserIdGroupPairs": []
                },
                {
                    "IpProtocol": "-1",
                    "IpRanges": [],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": [
                        {
                            "GroupId": "sg-0047473f289f0ffd3",
                            "UserId": "592017647781"
                        },
                        {
                            "GroupId": "sg-031e0901b061eb92d",
                            "UserId": "592017647781"
                        },
                        {
                            "GroupId": "sg-03f39f48c7887e46b",
                            "UserId": "592017647781"
                        },
                        {
                            "GroupId": "sg-07d8dbe45e3e81e44",
                            "UserId": "592017647781"
                        }
                    ]
                }
            ],
            "OwnerId": "592017647781",
            "GroupId": "sg-0002ee69773ca6f9d",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "VpcId": "vpc-0eee2636f691ad96b"
        }
    ]
}

UPDATE: I finally figure it out by applying ReachabilityAnalyzer, and it was proved to be my fault on confusing configuration items. This is a very helpful tool, guys have same issue can try to use this tool to help themselves out.

Thanks John for help.

CodePudding user response:

You appear to be using a single Security Group for both the AWS Lambda function and the DocDB database. I think your Security Group is missing Outbound permissions, which be restricting traffic from the Lambda function.

The typical security setup would be:

  • A security group on the AWS Lambda function (Lambda-SG) that permits all Outbound access
  • A security group on the DocDB (DB-SG) that permits Inbound access from Lambda-SG on port 27017

CodePudding user response:

Could you please check the connection from the lambda subnet to documentdb subnet and there sg & nacl just to confirm that lambda can connect to the documentdb using port 27017.

Thanks, Chinmoy Layek

  • Related