Home > database >  How to reach S3 from a nodejs lambda which is inside a VPC?
How to reach S3 from a nodejs lambda which is inside a VPC?

Time:09-20

My lambda is getting ETIMEDOUT for hostname s3.amazonaws.com. I figured out that is is probably caused by the fact that my lambda is inside a VPC.

I suspect that I need to use an AWS Endpoint to reach S3. I know that we have endpoint set up and in AWS Console I can see and endpoint associated with this VPC called dev-s3-gateway with service name com.amazonaws.us-east-1.s3

How do I tell my lambda to use this endpoint?

CodePudding user response:

Inside a VPC, your Lambda can be in either a private subnet or a public subnet.

Lambda in Public Subnets CANNOT access the internet.

Having Lambda access the internet

Being in a Private Subnet, your Lambda cannot have "direct" access to the internet. You need to provision a Public Subnet in your VPC and have both an Internet Gateway as well as a NAT Gateway in that subnet.

Route the traffic to 0.0.0.0/0 from your Lambda's subnet via the NAT Gateway.

From the routing table of the Public Subnet, route traffic to 0.0.0.0/0 via the Internet Gateway.

Your Lambda should now have access to the internet (and to S3).

Feel free to also check out this more detailed guide.

Accessing AWS services through VPC endpoints

Several AWS services offer VPC endpoints. These allow you to connect and interact with the respective services without your traffic ever leaving the AWS network.

For more information on them, please check out their documentation.

EDIT: Expanding a bit on your specific S3 use case.

S3 offers Gateway and Interface VPC Endpoints. Based on the endpoint name you provided in the question, I'm going to guess this is a Gateway VPC Endpoint. Once you set up the endpoint in your VPC, the Security Group(s) associated with your Lambda must allow outbound traffic to the endpoint.

You have two options.

First and simplest (but perhaps less secure - depending on your use case), you allow outbound traffic to 0.0.0.0/0. This will effectively allow you to call anything. However, if the Lambda is in a public subnet, it won't be able to access the internet, as explained above, but rather only the Gateway VPC Endpoint ranges.

The second option is to allow outbound traffic to the known Prefix List of the regional Amazon S3 endpoint. You can retrieve the PrefixList ID (looks like pl-xxxxxx) by invoking the DescribePrefixLists and looking for that Prefix List for service com.amazonaws.us-east-1.s3. Once you have the ID of the Prefix List, you can add it to the destination of an outbound rule of your Security Group(s).

  • Related