How do I use AWS Systems Manager to troubleshoot internet access issues for an AWS Lambda function that's in an Amazon VPC?

2 minute read

I granted internet access to my AWS Lambda function that's in an Amazon Virtual Private Cloud (Amazon VPC). Now, the function loses internet access or times out.

Short description

Verify that the following resources allow outbound internet access to your Lambda function:

If any of the preceding resources don't grant internet access to your Lambda function, then reconfigure the resource to grant your function internet access.

To manually review the resources, see How do I give internet access to a Lambda function that's connected to an Amazon VPC? To automate the troubleshooting process, use the AWSSupport-TroubleshootLambdaInternetAccess AWS Systems Manager runbook.

Resolution

To use the AWSSupport-TroubleshootLambdaInternetAccess runbook, complete the following steps:

Open the Systems Manager console.
In the left navigation pane, under Change Management, choose Automation.
Choose Execute automation.
Choose the Owned by Amazon tab, and then search for AWSSupport-TroubleshootLambdaInternetAccess.
Choose the icon for the AWSSupport-TroubleshootLambdaInternetAccess card.
Note: Don't choose the name of the automation.
Choose Next.
(Optional) In the Input parameters section, for AutomationAssumeRole, enter the ARN of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform actions. If an IAM role isn't specified, then Systems Manager Automation uses the permissions of the IAM user role that runs the document. For more information, see Use IAM to configure roles for Automation.
Important: Either the AutomationAssumeRole or user role must have permissions for the following actions:
GetFunction
DescribeRouteTables
DescribeNatGateways
DescribeSecurityGroups
DescribeNetworkAcls
For FunctionName, enter the name of the function.
For destinationIp, enter the destination IP address where you want to initiate outbound internet access.
For destinationPort, enter the destination port where you want to initiate outbound internet access.
Choose Execute.

The runbook's output provides the status of each resource that might cause the loss of internet connectivity for your Lambda function. The output also provides recommendations for how to resolve the issue as an "Analysis" message.

Note: For more information about AWS System Manager automation runbooks, see Creating your own runbooks.

Topics

Management & Governance End User Computing

Relevant content

Allow Lambda to Access AWS Services+VPC+Internet
Papyna
asked 2 years ago
API to get all the resources that is used in an AWS account
Ragul
asked 2 years ago
How to use Systems Manager - Fleet Manager across an AWS Organization
Accepted Answer
larryjkl
asked a year ago
Issue using a single lambda to access RDS resource on VPC and access internet
Andrew
asked 2 months ago
How do I configure an Amazon MQ instance that's in a VPC to invoke a Lambda function?
Accepted Answer
Jason_W
asked 3 years ago
How do I give internet access to a Lambda function that's connected to an Amazon VPC?
AWS OFFICIALUpdated a year ago
How do I get a Lambda function in a VPC to access Systems Manager Parameter Store?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot timeout issues with a Lambda function that's in an Amazon VPC?
AWS OFFICIALUpdated 4 months ago
How do I troubleshoot connectivity issues that I'm experiencing while using an Amazon VPC?
AWS OFFICIALUpdated a year ago
Configuring AWS Systems Manager for use with VMware Cloud on AWS
EXPERT
Jonas Werner
published 9 months ago