AWS Lambda: Unable to access SQS Queue from a Lambda function with VPC access

Question

I have a Lambda function that needs to read messages from an SQS queue using it\'s URL. Then it needs to insert that data to Cassandra running on a server inside a VPC.

Answer 1

I ran into the same kind of problem when I was running lambda function with access to elasticache on the VPC. While the function was configured to run in the VPC, I wasnt able to talk to any other service (specifically codedeploy for me).

As @garnaat pointed out NAT seems to be the only way to go about solving this problem for services without VPC endpoints.

And like you pointed out, I also ran into the same trouble where I could'nt SSH into the machine(s) once I replaced the entry with the IGW in the route table. Seems like detaching the IGW starves the VPC of either the incoming traffic (mostly) or the outgoing traffic from or to the internet respectively. So here's what I did and it worked for me:

Create a new Subnet within the VPC Now, when lambda runs, make sure lambda operates from this subnet. You can do this by using aws-cli like so:

 aws lambda update-function-configuration --function-name your-function-name --vpc-config SubnetIds="subnet-id-of-created-subnet",SecurityGroupIds="sg-1","sg-2"

Make sure you add all the security groups whose inbound and outbound traffic rules apply for your lambda function.

Next, go to Route Tables in the VPC console and create a new route table.

Here is where you add the NAT gateway to the target.

finally go to the Subnet Associations tab in the new route table and add the newly created subnet there.

Thats all this should get it working . Mind you, please treat this as only a workaround. I haven't done much digging and I have a very limited idea on how things get resolved internally while doing this. This might not be an ideal solution.

The ideal solution seems to be to design the VPC before hand. Use subnets to isolate resources/instances that need internet access and that dont(private and public subnets) and place appropriate gateways where needed.( so that you may not have to create a seperate subnet for this purpose later). Thanks