Using boto in an AWS lambda function in a VPC

amazon-lambdaamazon-vpcamazon-web-servicesboto

I have a lambda that accesses EC2. I want to assign it to a VPC for security purposes, but when I do boto just stops working. Here's a minimal example:

ec2 = boto3.resource('ec2', region_name='eu-west-2')
instances = ec2.instances.filter(Filters=[
  {
    'Name': 'vpc-id',
    'Values': [vpc_id]
  }
])
for instance in instances:
  # function hangs here
  print(instance)

The Lambda's role has the neccessary permissions on ec2, and works fine outside the VPC. When I put the lambda in the VPC (in a security group that allows all outbound traffic), it hangs. What do I need to do?

Best Answer

The issue was that I needed to have a NAT on the subnet the Lambda function is running in - an Internet Gateway is not enough!

I'm assuming that this is because the Lambda runs only privately, and the Internet Gateway, allowing 2-way traffic, would not allow routes to/from the Lambda.

Adding the Lambda to a private subnet with a NAT attached fixed this problem.

Related Solutions

How to authorize connections to non-VPC EC2 instances from the instances in a VPC via the igw-xxxx Internet Gateway

In order for the 10.0.0.88 instance to access the Internet (or EC2) via the Internet Gateway (IGW), the instance either needs to have an associated Elastic IP Address or needs to be talking through a NAT instance (which has an Elastic IP Address).

To lock down an EC2 security group to allow traffic from the VPC instance, specify the allowed source as the Elastic IP Address from either the instance itself or the NAT instance, as discussed above (ex. 192.0.2.25/32).

AWS CloudFormation: VPC default security group

Referencing the default security group is possible using:

{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }

Where "VPC" is your VPC resource name.

With AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress, you can augment the permissions of this default security group.

I think this is what you want:

"VPCDefaultSecurityGroupIngress": {
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
    "IpProtocol":"tcp",
    "FromPort":"22",
    "ToPort":"22",
    "CidrIp":"0.0.0.0/0"
  }
},

As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.

I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.

Best Answer

Related Solutions

How to authorize connections to non-VPC EC2 instances from the instances in a VPC via the igw-xxxx Internet Gateway

AWS CloudFormation: VPC default security group

Related Topic