I want to connect an AWS Lambda function to resources that are located in a dedicated AWS virtual private cloud (VPC).

Because AWS Lambda does not currently support running in dedicated tenancy VPCs, you must peer the dedicated VPC to a regular VPC that contains your Lambda function.

This article assumes that you understand NodeJS and Creating Lambda functions.

Configure the VPCs

  1. In the Amazon VPC console, create a default tenancy VPC with a 10.0.0.0/16 CIDR block and a dedicated tenancy VPC with a 11.0.0.0/16 CIDR block. If you are using a different CIDR block, be sure that the default and dedicated VPCs have different, non-overlapping, blocks. (Note: Skip this step if you already set up a default tenancy VPC.)
  2. In the navigation pane, choose Peering Connections.
  3. Choose Create VPC Peering Connection.
  4. Type the name of your dedicated tenancy VPC in the Name tag field and the VPC ID for the default tenancy VPC in the Local VPC to peer field. Select the My account radio button, type the VPC ID for the dedicated tenancy VPC in the VPC field, and then choose Create VPC Peering Connection.
  5. Configure the route tables to enable communication between the two VPCS.

Dedicated tenancy VPC:

Destination Target Status Propagated
12.0.0.0/16 Local Active No
11.0.0.0/16 <pcx-aaaabbbb> Active No

Peering tenancy VPC:

Destination Target Status Propagated
11.0.0.0/16 Local Active No
12.0.0.0/16 <pcx-aaaabbbb> Active No

Active

Active

Active

Create a Test Function

1.    Create a new Lambda function in the same region as the default tenancy VPC. The following sample code uses the native HTTP interface in NodeJS:

var http = require('http')
     
exports.handler = (event, context, callback) => {
    const options = {
        hostname: event.Host,
        port: event.Port
    }
    
    const response = {};
    
   http.get(options, (res) => {
        response.httpStatus = res.statusCode
        callback(null, response)
    }).on('error', (err) =>{
        callback(null, err.message);
    })
   
};

2.    Be sure to choose the lambda_basic_vpc_execution role. If this role doesn't exist, choose Create New Role and then enter the following policy:

{
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "logs:CreateLogGroup",
                  "logs:CreateLogStream",
                  "logs:PutLogEvents"
              ],
              "Resource": "arn:aws:logs:*:*:*"
          },
          {
              "Effect": "Allow",
              "Action": [
                  "ec2:CreateNetworkInterface",
                  "ec2:DescribeNetworkInterfaces",
                  "ec2:DetachNetworkInterface",
                  "ec2:DeleteNetworkInterface"
              ],
              "Resource": "*"
          }
      ]
  }

3.    For VPC configuration, choose default tenancy VPC.

4.    Choose Create.

Test the connectivity

1.    Launch an EC2 instance in your dedicated VPC, if one is not already running.

2.    Verify that both VPC subnet network access control lists (ACLs) allow traffic on the port that you are testing, and also for the EC2 instance's security group.

3.    To test, verify that a service is running on the EC2 instance that the Lambda function can make a request of. Because the ping command is not supported in the Lambda environment, configure the server to respond to an HTTP request. Because running a listener on port 80 requires sudo, run the test server on port 8080, and then enable port forwarding.

$ sudo iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8080
$ python -V
# If python version is 2.x:
$ python -m SimpleHTTPServer 8080
# If python version is 3.x
$ python -m http.server 8080

4.    Configure the test event, replacing <your-host> and <port> with the IP address or hostname and desired port of your EC2 instance:

{
  "Host": "<your-host>",
  "Port": <port>
}

5.    To verify that the connection was successful, check for output similar to the following:

{
  "httpStatus": 200
}

If the function output shows non-nil values for average, max, and min latency, then your VPC peering connection is set up successfully.

If the connection can't be made, then the response output looks like this:

"connect ECONNREFUSED <your-host>:<port>"

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-08-22

Updated: 2018-04-10