AWS Knowledge Center Videos: How do I give internet access to my Lambda function in a VPC?


[Music] [Music] for our devil today I’ll assume you want to use some of your pre-existing subnets the subnets I’ll be starting with will have no configuration at all please refer to the Amazon V PC documentation if we need help creating new subnets in your V PC now you see I’m array logged in to my ad FS management console open your V PC console this is located under the network and content delivery section go to subnets and note which subnets you’d like to use you can simply label them by editing their name fields you’ll need at least one private subnet for your function and a public subnet for an out gateway to keep your VPC organized and keep track of I P addresses in use by lambda I also recommend that you dedicate these subnets exclusively for your land of functions and keep them separate from subnets used by your ec2 instances next go to route tables create two new route tables for your V PC labeled on public subnet and private lambda choose a public route table and go to subnet associations choose edit and select the checkbox for your public subnet choose save now your new row table will be associated with your public subnet repeat this process for the private subnet select your private lambda subnet select subnet associations click Edit and select your private land of subnets it’s best practice to have private subnets in multiple availability zones for redundancy click Save now your raw table will be associated with your private lambda subnets now let’s configure our public subnet first go to Internet gateways create a new internet gateway here our College V PC demo attach this unit gateway to your V PC here we’ll select the lambda v bc demo V PC and click yes attach this unique gateway is now attached to your V PC and ready for use go back to route tables and select your public route go to your route tab select edit and add another route for the destination use the address zero zero zero zero slash zero the target will be the igw internet gateway that you just created click Save the route 0 0 0 0 / 0 is the default route which directs all traffic that does not match any other route and table this typically means in it bound traffic now we will configure the private subnets to have internet access by creating on that gateway this is not gateway allows hosts in your private subnets to reach the internet sending traffic through an ADD gateway is what makes the subnet private since the 7 it does not have direct access to the Internet go to NAT gateways choose create NAT gateway under subnet select the public subnet select an available elastic IP or create a new elastic IP this is the public address that your functions packets will have as they pass out of than that you can provide this IP address to public service providers for whitelisting if necessary choose to create an out gateway button and note then that gateway ID choose edit route tables this will take you back to the route tables page just as we did on the public route table we’ll need to add the default route to the private round table select your private route on the routes tab select edit choose add another route and again add the default route of 0.0 0.0 / the time your target will be than that gateway you just created she’s safe now you have two subnets a private subnet with a default route point into an out gateway and a public subnet that helps turn out gateway and points to your V PC Internet gateway for allow me to create the elastic network interfaces Orion eyes that your functions will use your functions I am execution roll must have several ec2 permissions to check these go to your I am console you can find the IM console under security identity and compliance in your eye on console go to rolls and select the desired lambda execution row here I’ve created array create an execution roll called lambda V PC basic execution this roll should include the policy Atos lambda V PC access execution roll if it’s not already present you will need to add this policy to the execution roll suck your roll click attach policy search for the VP c-axis execution row select the role and click attach policy now you’re ready configure your land of function go to the Lebanon console and secure function or create a new function the labor council can be found under the compute section select your function on the main configuration tab scroll down to the network section expanding that rear section and you’ll see the VPC drop down select your VPC in the subnets drop-down select your private subnets that you’ve read define for lambda again it’s best practice to have multiple availability zones for a redundancy below the subnet section and their security groups select the security group that you would like to use with your lambda function for security really appropriate security group here we were just used as VP C default group which has adequate rules to allow outbound Internet traffic you will need to make sure that security group you choose allows outbound connections to any endpoints your function needs to reach usually this is a rated case because security groups allow all outbound traffic by default additionally the security groups attached to any V PC endpoints your function needs access such as an ec2 or RDS database instance should authorize inbound traffic from the group that you choose select the lambda execution roll you previously set that includes the ad FS BBC access policy scroll back up the page to the execution rail section choose select an existing role and select the V PC basic execution role once set go back up to the top of the page and click Save you can now test your function and should be able to reach the Internet you

Danny Hutson

Leave a Reply

Your email address will not be published. Required fields are marked *