How do I give internet access to a Lambda function that's connected to an Amazon VPC?

Last updated: 2021-10-06

I want my AWS Lambda function that's connected to an Amazon Virtual Private Cloud (Amazon VPC) to have access to the internet. How do I set that up?

Short description

Internet access from a private subnet requires network address translation (NAT). To give internet access to an Amazon VPC-connected Lambda function, route its outbound traffic to a NAT gateway or NAT instance in a public subnet.

For more information, see Internet gateways in the Amazon VPC User Guide. For an example setup, see VPC with public and private subnets (NAT).

To troubleshoot internet access issues with Amazon VPC-connected Lambda functions

See How do I troubleshoot internet access issues for an AWS Lambda function that's in an Amazon VPC using AWS Systems Manager?

Note: You can also use Amazon VPC endpoints to connect to supported AWS services from within an Amazon VPC without internet access.

Resolution

(Optional) Create a new Amazon VPC using the VPC Wizard in the AWS Management Console

Note: If you use the VPC wizard to create a new Amazon VPC, then you can skip ahead to the following section: Create a Lambda execution role for your VPC.

1.    Open the VPC wizard in the AWS Management Console.

2.    Choose VPC with Public and Private Subnets. The new Public subnet and Private subnet, including their associated internet gateway and NAT gateway, appear in the Amazon VPC console.

Create a public subnet and one or more private subnets in your Amazon VPC

For instructions, see Create a subnet in your VPC to create each of your subnets.

When you create the subnets, for Name tag, enter a name for each subnet that identifies it as being either public or private. For example: Public subnet, Private lambda 1, and Private lambda 2.

Note: It's a best practice to create more than one private subnet across different Availability Zones. This practice creates redundancy and allows the Lambda service to maintain high availability for your function.

Create an internet gateway and attach it to your Amazon VPC

For instructions, see Create and attach an internet gateway.

Create a NAT gateway

For instructions, see Create a NAT gateway. When you create the NAT gateway, for Subnet, choose the subnet that you want to make public. (From the previous example: Public subnet.)

Note: To test your NAT gateway setup, see Test the public NAT gateway in the Amazon VPC user guide.

Create two custom route tables—one for your public subnet and one for your private subnet

Note: An Amazon VPC-connected Lambda function randomly selects an associated subnet when making requests. All subnets that your function uses should have the same configuration to prevent random errors caused by Lambda using a misconfigured subnet.

For instructions, see Create a custom route table. When you create the route tables, for Name tag, enter a name for each route table that helps you identify which subnet it's associated with. For example: Public subnet and Private Lambda.

For each route table, make sure that you do the following:

For the public subnet's route table

1.    Associate public subnet's route table (Public subnet) with the subnet that you want to make public.

2.    Add a new route to the route table that includes the following configurations:
For Destination, enter 0.0.0.0/0.
For Target, choose Internet Gateway, and then choose the ID (igw-123example) of the internet gateway that you created.
Choose Save routes.

For the private subnet's route table

1.    Associate the private subnet's route table (Private Lambda) with the private subnets.

2.    Add a new route to the route table that includes the following configurations:
For Destination, enter 0.0.0.0/0.
For Target, choose NAT Gateway. Then, choose the ID of the NAT gateway (nat-123example) that you created.
Important: If you're using a NAT instance, choose Network Interface instead.
Choose Save routes.

Note: Make sure that the routes to your NAT gateway are in an active status. If the NAT gateway is deleted and you haven't updated the routes, they're in a blackhole status. For more information, see Updating your route table.

Verify that your network ACL allows outbound requests from your Lambda function, and inbound traffic as needed

The default network access control list (ACL) in your Amazon VPC allows all inbound and outbound traffic. If you change the network ACL rules, make sure that you still allow outbound requests from your Lambda function.

Also, make sure that your network ACL allows the following inbound traffic based on your VPC configuration:

For private subnets that use a NAT gateway

Allow inbound traffic on ephemeral ports 1024-65535.

For private subnets that use a NAT instance

Allow inbound traffic on the ephemeral ports used by your NAT instance operating system.

Note: For more information, see Internetwork traffic privacy in Amazon VPC.

Create a Lambda execution role for your VPC

1.    Open the Roles page in the AWS Identity and Access Management (IAM) console.

2.    Choose Create role. The Create role page opens.

3.    On the Create role page, do the following:
For Select type of trusted entity, choose AWS service.
For Common use cases, choose Lambda.
Choose Next: Permissions.
Under Attach permissions policies, search for AWSLambdaVPCAccessExecutionRole. Select the policy with that name. Then, choose Next: Tags.
(Optional) Add tags for your use case.
Choose Next: Review.
For Role name, enter a name for your Lambda execution role. For example: lambda_vpc_basic_execution.
(Optional) For Role description, enter a description of the role.
Choose Create role.

For more information, see AWS Lambda execution role and Creating an execution role in the IAM console.

Configure your Lambda function to connect to your Amazon VPC

1.    Open the Functions page in the Lambda console.

2.    Choose the name of the function that you want to connect to your Amazon VPC.

3.    Choose Configuration.

4.    Under Execution role, for Existing role, choose the Lambda execution role that you created.

5.    Under VPC, choose Edit. Then, do the following:
For Virtual Private Cloud (VPC), choose your VPC.
For Subnets, select the private subnets that you created. Identify them by their subnet IDs (and names, if you named them).
For Security groups, choose a security group.
Note: The default security group allows all outbound internet traffic and is sufficient for most use cases. For more information, see Security Groups for Your VPC.
Choose Save.