How can I troubleshoot Lambda function connectivity issues to an Amazon VPC using Reachability Analyzer?

Short description

You can configure a Lambda function to access resources inside an Amazon VPC. The Lambda function is assigned to a network interface that's used to connect the Amazon VPC to an elastic network interface. To troubleshoot network connectivity issues, you can use the configuration analysis tool Reachability Analyzer.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Get the network interface IDs for Lambda functions using the AWS Management Console

1.    Open the Functions page of the Lambda console, and then choose your function.

2.    Choose the Configuration tab.

3.    In General configuration, choose VPC. Copy or note the VPC ID, subnet IDs, and security group IDs.

4.    Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

5.    In the navigation pane, from Network & Security, choose Network Interfaces.

6.    In the search bar, enter the following API filters: VPC ID = <your VPC ID>
Subnet ID = <your subnet ID>
Security group IDs = <your security group ID>
Interface Type = lambda

7.    Copy the network interface ID from the Details section.

Get the network interface IDs for Lambda functions using the AWS CLI

1.    Run the AWS CLI command get-function-configuration to retrieve the Lambda function's Amazon VPC configuration similar to the following:

aws lambda get-function-configuration --function-name <function_name> --query 'VpcConfig'

2.    Copy the VpcId, SecurityGroupIds, and SubnetIds from the output.

3.    Run the AWS CLI command describe-network-interfaces to retrieve the network interface ID similar to the following:

Note: Replace the values in this example with your IDs from step 2.

aws ec2 describe-network-interfaces --filters 'Name=vpc-id,Values=vpc-12345678' 'Name=subnet-id,Values=subnet-12345678' 'Name=interface-type,Values=lambda' 'Name=group-id,Values=sg-12345678' --query 'NetworkInterfaces[*].NetworkInterfaceId'

Copy the network interface ID in the output for "NetworkInterfaceId".

Create and analyze a path with Reachability Analyzer

1.    Open the AWS Network Manager console.

2.    In the navigation pane, choose Reachability Analyzer.

3.    Choose Create and analyze path.

4.    Choose the Source type dropdown list, and then choose Network Interfaces.

5.    Choose the Source dropdown list, and then enter the network interface ID.

6.    Choose the Destination type dropdown list, and then choose your destination type.

7.    For Protocol, choose TCP or UDP, depending on your use case.

8.    Choose Create and analyze path.

View the results of the path analysis

After the path analysis completes, you can view the results of the path analysis.

If the reachability status matches your intent, then there's no further action required. If the reachability status doesn't match your intent, then you can change your network configuration and analyze the path.

For more information, see Getting started with Reachability Analyzer.

---

Related information

How do I use the VPC Reachability Analyzer to troubleshoot connectivity issues with an Amazon VPC resource?

New – VPC Reachability Analyzer