How do I give internet access to a Lambda function that's connected to an Amazon VPC?

6 minute read
2

I want to grant internet access to my AWS Lambda function that's connected to an Amazon Virtual Private Cloud (Amazon VPC).

Short description

Internet access from a private subnet requires network address translation (NAT). To give internet access to an Amazon VPC-connected Lambda function, route its outbound traffic to a NAT gateway or NAT instance in a public subnet.

For more information, see Connect to the internet using an internet gateway. For an example setup, see VPC with servers in private subnets and NAT.

Note: You can also use Amazon VPC endpoints to connect to supported AWS services from within an Amazon VPC without internet access.

Resolution

(Optional) Create a new Amazon VPC using the VPC Wizard in the AWS Management Console

Note: If you use the VPC wizard to create a new Amazon VPC, then skip ahead to the following section: Create a Lambda execution role for your VPC.

1.    Open the VPC wizard in the AWS Management Console.

2.    Choose VPC with Public and Private Subnets. The new Public subnet and Private subnet, including their associated internet gateway and NAT gateway, appear in the Amazon VPC console.

Create a public subnet and one or more private subnets in your Amazon VPC

For instructions, see Create a subnet to create each of your subnets.

When you create the subnets, for Name tag, enter a name for each subnet that identifies it as either public or private. For example: Public subnet, Private lambda 1, and Private lambda 2.

Note: It's a best practice to create more than one private subnet across different Availability Zones. This practice creates redundancy and allows the Lambda service to maintain high availability for your function.

Create an internet gateway and attach it to your Amazon VPC

For instructions, see Create and attach an internet gateway.

Create a NAT gateway

For instructions, see Create a NAT gateway. When you create the NAT gateway, for Subnet, choose the subnet that you want to make public. (From the previous example: Public subnet.)

Note: To test your NAT gateway setup, see Test the public NAT gateway.

Create two custom route tables—one for your public subnet and one for your private subnet

Note: When an Amazon VPC-connected Lambda function makes requests, it randomly selects an associated subnet. If the function uses a misconfigured subnet, then you get an error. To prevent random errors, make sure to use the same configuration for all subnets that your function uses.

For instructions, see Create a custom route table. When you create the route tables, for Name tag, enter a name for each route table that helps you identify the subnet that it's associated with. For example: Public subnet and Private Lambda.

For each route table, make sure that you complete the following steps:

For the public subnet's route table

1.    Associate the public subnet's route table (Public subnet) with the subnet that you want to make public.

2.    Add a new route to the route table that includes the following configurations:

For Destination, enter 0.0.0.0/0.
For Target, choose Internet Gateway, and then choose the ID (igw-123example) of the internet gateway that you created. Choose Save routes.

For the private subnet's route table

1.    Associate the private subnet's route table (Private Lambda) with the private subnets.

2.    Add a new route to the route table that includes the following configurations:

For Destination, enter 0.0.0.0/0.
For Target, choose NAT Gateway. Then, choose the ID of the NAT gateway (nat-123example) that you created.

Important: If you're using a NAT instance, choose Network Interface instead. Choose Save routes.

Note: Make sure that the routes to your NAT gateway are in an active status. If the NAT gateway is deleted and you didn't update the routes, they're in a blackhole status. For more information, see Delete a NAT gateway.

Verify that your network ACL allows outbound requests from your Lambda function, and inbound traffic as needed

The default network access control list (network ACL) in your Amazon VPC allows all inbound and outbound traffic. If you change the network ACL rules, then make sure that you still allow outbound requests from your Lambda function.

Also, make sure that your network ACL allows the following inbound traffic based on your VPC configuration:

  • For private subnets that use a NAT gateway: allow inbound traffic on ephemeral ports 1024-65535.
  • For private subnets that use a NAT instance: allow inbound traffic on the ephemeral ports used by your NAT instance operating system.

Note: For more information, see Internetwork traffic privacy in Amazon VPC.

Create a Lambda execution role for your VPC

1.    Open the Roles page in the AWS Identity and Access Management (IAM) console.

2.    Choose Create role. The Create role page opens.

3.    On the Create role page, complete the following steps:

For Select type of trusted entity, choose AWS service.
For Common use cases, choose Lambda.
Choose Next: Permissions.
Under Attach permissions policies, search for AWSLambdaVPCAccessExecutionRole.
Select the policy with that name. Then, choose Next: Tags.
(Optional) Add tags for your use case.
Choose Next: Review.
For Role name, enter a name for your Lambda execution role. For example: lambda_vpc_basic_execution.
(Optional) For Role description, enter a description of the role. Choose Create role.

Attach the role to the Lambda function

1.    Open the Functions page in the Lambda console.

2.    Choose the name of the function that you want to connect to your Amazon VPC.

3.    Choose the Configuration tab, and then choose Permissions.

4.    In Execution role, choose Edit.

5.    Choose the Existing role dropdown list, and then choose your role. For example: lambda_vpc_basic_execution.

6.    Choose Save.

For more information, see Lambda execution role and Creating an execution role in the IAM console.

Configure your Lambda function to connect to your Amazon VPC

1.    Open the Functions page in the Lambda console.

2.    Choose the name of the function that you want to connect to your Amazon VPC.

3.    Choose the Configuration tab.

4.    Choose VPC from the left navigation bar, and then choose Edit. Then, enter the following fields:

For Virtual Private Cloud (VPC), choose your VPC.
For Subnets, select the private subnets that you created. Identify them by their subnet IDs (and names, if you named them).
For Security groups, choose a security group.

Note: The default security group allows all outbound internet traffic and is sufficient for most use cases. For more information, see Control traffic to your AWS resources using security groups.

5.    Choose Save.

Related information

Connecting outbound networking to resources in a VPC

Troubleshoot networking issues in Lambda

How do I troubleshoot Lambda function failures?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
5 Comments

Is it possible to give our lambda functions in a private subnet access to internet via an ipv6 egress only internet gateway instead of a nat gateway?

pierre
replied 6 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 6 months ago

@pierre Yes! Just assign an IP to the Elastic Network Interface (ENI) created by Lambda.

replied 4 months ago

This article leaves a lot to be desired, a lot of holes and research to be done if you don't already know what your doing.

See this answer on SO - https://stackoverflow.com/questions/37135725/aws-lambda-connecting-to-internet/55267891#55267891 - has step by step images and was easy to follow. Its based on this article but doesn't direct you to more documentation to figure out additional steps.

Followed the SO answer and resolved my issue of using RDS + SES and/or RDS + S3 within the same lambda function on a publicly accessible (ip limited) RDS instance.

profile picture
replied 7 days ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 6 days ago