VPC中的Lambda函數無法訪問Internet

我的Lambda函數可以訪問VPC中的其他資源，但一旦它嘗試向Internet發出請求，它就會超時。我有以下幾點：VPC中的Lambda函數無法訪問Internet

兩個專用子網
路由表的路由0.0.0.0/0互聯網網關。
一對夫婦的ACL規則和LAMBDA安全組

任何幫助將是有益的。這裏是我的CF模板：

AWSTemplateFormatVersion: 2010-09-09 
Description: VPC Stack 
Resources: 
    VPC: 
    Type: 'AWS::EC2::VPC' 
    Properties: 
     CidrBlock: 10.0.0.0/16 
     EnableDnsHostnames: true 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Subnet1: 
    Type: 'AWS::EC2::Subnet' 
    Properties: 
     VpcId: !Ref VPC 
     CidrBlock: 10.0.3.0/24 
     AvailabilityZone: 'us-east-1b' 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Subnet2: 
    Type: 'AWS::EC2::Subnet' 
    Properties: 
     VpcId: !Ref VPC 
     CidrBlock: 10.0.4.0/24 
     AvailabilityZone: 'us-east-1e' 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    InternetGateway: 
    Type: 'AWS::EC2::InternetGateway' 
    Properties: 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    AttachGateway: 
    Type: 'AWS::EC2::VPCGatewayAttachment' 
    Properties: 
     VpcId: !Ref VPC 
     InternetGatewayId: !Ref InternetGateway 
    RouteTable: 
    Type: 'AWS::EC2::RouteTable' 
    Properties: 
     VpcId: !Ref VPC 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Route: 
    Type: 'AWS::EC2::Route' 
    DependsOn: AttachGateway 
    Properties: 
     RouteTableId: !Ref RouteTable 
     DestinationCidrBlock: 0.0.0.0/0 
     GatewayId: !Ref InternetGateway 
    SubnetRouteTableAssociation1: 
    Type: 'AWS::EC2::SubnetRouteTableAssociation' 
    Properties: 
     SubnetId: !Ref Subnet1 
     RouteTableId: !Ref RouteTable 
    SubnetRouteTableAssociation2: 
    Type: 'AWS::EC2::SubnetRouteTableAssociation' 
    Properties: 
     SubnetId: !Ref Subnet2 
     RouteTableId: !Ref RouteTable 
    NetworkAcl: 
    Type: 'AWS::EC2::NetworkAcl' 
    Properties: 
     VpcId: !Ref VPC 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    InboundHTTPNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '100' 
     Protocol: '6' 
     RuleAction: allowAWSTemplateFormatVersion: 2010-09-09 
Description: VPC Stack 
Resources: 
    VPC: 
    Type: 'AWS::EC2::VPC' 
    Properties: 
     CidrBlock: 10.0.0.0/16 
     EnableDnsHostnames: true 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Subnet1: 
    Type: 'AWS::EC2::Subnet' 
    Properties: 
     VpcId: !Ref VPC 
     CidrBlock: 10.0.3.0/24 
     AvailabilityZone: 'us-east-1b' 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Subnet2: 
    Type: 'AWS::EC2::Subnet' 
    Properties: 
     VpcId: !Ref VPC 
     CidrBlock: 10.0.4.0/24 
     AvailabilityZone: 'us-east-1e' 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    InternetGateway: 
    Type: 'AWS::EC2::InternetGateway' 
    Properties: 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    AttachGateway: 
    Type: 'AWS::EC2::VPCGatewayAttachment' 
    Properties: 
     VpcId: !Ref VPC 
     InternetGatewayId: !Ref InternetGateway 
    RouteTable: 
    Type: 'AWS::EC2::RouteTable' 
    Properties: 
     VpcId: !Ref VPC 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    Route: 
    Type: 'AWS::EC2::Route' 
    DependsOn: AttachGateway 
    Properties: 
     RouteTableId: !Ref RouteTable 
     DestinationCidrBlock: 0.0.0.0/0 
     GatewayId: !Ref InternetGateway 
    SubnetRouteTableAssociation1: 
    Type: 'AWS::EC2::SubnetRouteTableAssociation' 
    Properties: 
     SubnetId: !Ref Subnet1 
     RouteTableId: !Ref RouteTable 
    SubnetRouteTableAssociation2: 
    Type: 'AWS::EC2::SubnetRouteTableAssociation' 
    Properties: 
     SubnetId: !Ref Subnet2 
     RouteTableId: !Ref RouteTable 
    NetworkAcl: 
    Type: 'AWS::EC2::NetworkAcl' 
    Properties: 
     VpcId: !Ref VPC 
     Tags: 
     - Key: Application 
      Value: !Ref 'AWS::StackId' 
    InboundHTTPNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '100' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '80' 
     To: '80' 
    InboundSSHNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '101' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '22' 
     To: '22' 
    InboundResponsePortsNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '102' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '1024' 
     To: '65535' 
    OutBoundNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '103' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'true' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '0' 
     To: '65535' 
    SubnetNetworkAclAssociation1: 
    Type: 'AWS::EC2::SubnetNetworkAclAssociation' 
    Properties: 
     SubnetId: !Ref Subnet1 
     NetworkAclId: !Ref NetworkAcl 
    SubnetNetworkAclAssociation2: 
    Type: 'AWS::EC2::SubnetNetworkAclAssociation' 
    Properties: 
     SubnetId: !Ref Subnet2 
     NetworkAclId: !Ref NetworkAcl 
    LambdaSecurityGroup: 
     Type: AWS::EC2::SecurityGroup 
     Properties: 
      VpcId: !Ref VPC 
      GroupDescription: Access to Lambda functions 
      SecurityGroupIngress: 
      - CidrIp: 0.0.0.0/0 
       IpProtocol: -1 
     SecurityGroupEgress: 
      - CidrIp: 0.0.0.0/0 
       IpProtocol: -1 
Outputs: 
    VpcId: 
    Description: VPC ID 
    Value: !Ref VPC 
    Export: 
     Name: !Sub "Portal-VpcId" 
    Subnet1: 
    Description: Subnet ID 1 
    Value: !Ref Subnet1 
    Export: 
     Name: !Sub "Portal-SubnetID1" 
    Subnet2: 
    Description: Subnet ID 2 
    Value: !Ref Subnet2 
    Export: 
     Name: !Sub "Portal-SubnetID2"  
    LambdaSecurityGroup: 
    Description: Access to Lambda functions 
    Value: !Ref LambdaSecurityGroup 
    Export: 
     Name: !Sub "LambdaSecurityGroup"  
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '80' 
     To: '80' 
    InboundResponsePortsNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '102' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'false' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '1024' 
     To: '65535' 
    OutBoundNetworkAclEntry: 
    Type: 'AWS::EC2::NetworkAclEntry' 
    Properties: 
     NetworkAclId: !Ref NetworkAcl 
     RuleNumber: '103' 
     Protocol: '6' 
     RuleAction: allow 
     Egress: 'true' 
     CidrBlock: 0.0.0.0/0 
     PortRange: 
     From: '0' 
     To: '65535' 
    SubnetNetworkAclAssociation1: 
    Type: 'AWS::EC2::SubnetNetworkAclAssociation' 
    Properties: 
     SubnetId: !Ref Subnet1 
     NetworkAclId: !Ref NetworkAcl 
    SubnetNetworkAclAssociation2: 
    Type: 'AWS::EC2::SubnetNetworkAclAssociation' 
    Properties: 
     SubnetId: !Ref Subnet2 
     NetworkAclId: !Ref NetworkAcl 
    LambdaSecurityGroup: 
     Type: AWS::EC2::SecurityGroup 
     Properties: 
      VpcId: !Ref VPC 
      GroupDescription: Access to Lambda functions 
      SecurityGroupIngress: 
      - CidrIp: 0.0.0.0/0 
       IpProtocol: -1 
      SecurityGroupEgress: 
      - CidrIp: 0.0.0.0/0 
       IpProtocol: -1 
Outputs: 
    VpcId: 
    Description: VPC ID 
    Value: !Ref VPC 
    Export: 
     Name: !Sub "Portal-VpcId" 
    Subnet1: 
    Description: Subnet ID 1 
    Value: !Ref Subnet1 
    Export: 
     Name: !Sub "Portal-SubnetID1" 
    Subnet2: 
    Description: Subnet ID 2 
    Value: !Ref Subnet2 
    Export: 
     Name: !Sub "Portal-SubnetID2"  
    LambdaSecurityGroup: 
    Description: Access to Lambda functions 
    Value: !Ref LambdaSecurityGroup 
    Export: 
     Name: !Sub "LambdaSecurityGroup"

CF模板2：

來源

2017-11-17 Dominick Piganell

看到的是https將所有向外的連接：//aws.amazon .com/premiumsupport/knowledge-center/internet-access-lambda-function/ – jarmod

在VPC內部執行Lambda函數時，Lambda函數將只接收私有IP地址。它不會收到公共IP地址。

爲了任何AWS服務器通過互聯網網關來訪問公共互聯網，它必須：

有一個公網IP地址，並
在一個公共子網（即一個子網。直接訪問互聯網網關）

由於您的Lambda函數沒有該公共IP地址，因此它無法訪問互聯網，即使它位於公有子網中。

要解決此問題，您必須在專用子網中執行Lambda函數。這是一個子網：

沒有到Internet網關的直接訪問，並
通過NAT實例或NAT網關

來源

2017-11-18 18:48:06

您通過NAT實例需要途徑，如果你想拉姆達與Internet進行通信。

向您現有的VPC子網添加兩個子網和一個NAT網關。然後，在新的子網中設置路由表，通過NAT路由Internet。

來源

2017-11-17 23:19:30

@DominickPiganell - 澄清爲什麼* Chris *說你還需要兩個子網：當子網路由到Internet網關時，它是一個_public_子網。專用子網不通過IGW路由，但可能通過NAT網關（與NAT實例不同）路由。 – kdgregory

VPC中的Lambda函數無法訪問Internet

回答

相關問題