current situation:
I'm developing an AWS lambda that would launch an EC2 instance through a cloud formation stack.
I've deployed it inside a VPC, and thus had created endpoints to give it access to ressources such as S3/DynamoDB. However I cannot find any endpoints for the cloud formation, and as a result my function gets stucked at:
Starting new HTTPS connection (1): cloudformation.ap-south-1.amazonaws.com:443
update 1
Here is the snippet of code I'm using to connect to cloudformation:
self.cfn = session.resource('cloudformation')
stackdata = self.cfn.create_stack(
StackName="STACK-{}".format(instance_name),
DisableRollback=True,
TemplateURL=constants.TEMPLATE_TYPE[instance_type],
Parameters=params,
Capabilities=['CAPABILITY_IAM', 'CAPABILITY_AUTO_EXPAND','CAPABILITY_NAMED_IAM']
)
Please be noted that my code works just fine in a none-VPC setup (if I deploy my lambda outside of a VPC)
Could anyone help me try to figure out what I'm missing here?
CodePudding user response:
Lambda function that is deployed to the VPC doesn't have access to the internet. That means that it's not able to access any of the AWS services endpoints unless you do one of two things:
- create a VPC endpoint for that service
- Add NAT Gateway so Lambda function can use it to access internet
You add NAT gateway to the public subnet. After that, you need to edit route tables for private subnets to point to the NAT gateway. When you add a Lambda function to the VPC, you choose in which subnets it can be deployed. It's necessary to associate all of those subnets with the NAT gateway, so you're sure that the Lambda function will always have access to the NAT gateway.
If your Lambda function really needs to be in VPC (it needs access to some other resources inside of VPC), this is ok, but if it's not really necessary, I'd suggest you just move it outside of VPC (NAT gateway is $35/month traffic).
You can see the details here as well: AWS Knowledgebase