问题
I have a NodeJS Lambda function running in a private subnet, with allow all incoming/outgoing policies in both the security group and the NACL (not safe, but they do the job). The private subnet has a NAT gateway sitting in a public subnet of the same VPC, so internet connectivity works.
My goal is to send messages to an SQS queue.
The Lambda code is this:
const AWS = require('aws-sdk')
const sqs = new AWS.SQS()
exports.handler = (event, context, callback) => {
sqs.sendMessage({
MessageBody: JSON.stringify(event),
QueueUrl: 'https://sqs.eu-west-1.amazonaws.com/000000000000/queue-name'
}, function(err, data) {
console.log(err, data);
return callback(err, data);
});
};
For some reason, this function only runs the first time in each private subnet I put it. After that it just times out.
{
"errorMessage": "2017-10-23T17:07:01.675Z 903aaabc-b814-11e7-a727-19816eaa468a Task timed out after 10.00 seconds"
}
And here's the log
START RequestId: 903aaabc-b814-11e7-a727-19816eaa468a Version: $LATEST
END RequestId: 903aaabc-b814-11e7-a727-19816eaa468a
REPORT RequestId: 903aaabc-b814-11e7-a727-19816eaa468a Duration: 10002.46 ms Billed Duration: 10000 ms Memory Size: 128 MB Max Memory Used: 32 MB
2017-10-23T17:07:01.675Z 903aaabc-b814-11e7-a727-19816eaa468a Task timed out after 10.00 seconds
If I run the function unattached to a VPC, it works perfectly every time, but I must add some private resource access logic in there, so I can't run it outside of the VPC.
My feeling is that this has to do with the reusable container (infrastructure unit) that the function uses, but my experience with AWS in general and Lambda in particular is too shallow to figure out how that affects it.
I've tried the "warmer" version where the sqs object gets constructed in the handler, but that didn't work any better.
Does anyone have an idea about what I'm doing wrong?
回答1:
It seems that this was actually a connectivity issue.
I had 3 public subnets and 3 private ones. The public subnets routed traffic to 0.0.0.0/0 through an Internet Gateway (IGW). The private ones routed traffic to 0.0.0.0/0 through a NAT Gateway that was sitting in one of the public subnets.
The problem was that the NACLs attached to the public subnets only allowed inbound traffic on ports 80, 443 and 49152-65535. It seems that the request to the SQS service was coming on a different port than these.
I've allowed inbound traffic to the public subnets through ports 1024-65535 according to the guide here, although it doesn't seem too secure.
来源:https://stackoverflow.com/questions/46895254/vpc-running-aws-lambda-sends-sqs-message-only-once