使用 VPC 终端节点的 AWS Lambda-RabbitMQ 事件映射
TL/DR
尝试使用私有子网和 VPC 终端节点在 AmazonMQ (RabbitMQ) 队列上创建 Lambda 触发器不起作用。
POC 目标
我正在做这个 POC: 私有子网中的 AmazonMQ (RabbitMQ) 和由传入队列的消息触发的 Lambda。
免责声明
我在这里所说的都是我所学到的,如有任何纠正,我们将不胜感激。
关于网络
由于 Amazon MQ 是一项 AWS 托管服务,因此它在自己的网络中运行。因此,当我们要求 AWS 将代理放置在子网中时,会在子网中为此代理创建一个网络接口,从而为代理提供子网中的访问权限和可达性。
Lambda 也有类似的情况,网络接口允许 lambda 访问子网。但要调用此 lambda,由于调用端点位于我们的子网之外,因此需要创建一个 VPC 端点来公开子网内的 lambda 端点。
另一个选项是授予代理公共访问权限(创建公共 nats),以便代理可以访问公共 lambda 端点。 
问题
只是它不适用于 VPC 端点选项(它适用于公共 NAT)。
这是我正在使用的代码: https://gitlab.com /templates14/terraform-templates/-/tree/master/lambda_rabbitmq_trigger
如果您想测试,只需在此处更改 AWS 帐户:
# here using an AWS profile of my own, change it
provider "aws" {
region = "us-east-1"
profile = "myown-terraform"
}分析
据我所知,代理和 lambda 的网络接口位于同一子网中,安全组正常(它们允许所需的流量),并且创建了 VPC 终端节点。但是事件映射(又名 the-trigger,手动创建或使用 terraform 创建)永远无法完成配置。
TL/DR
Trying to create a Lambda trigger on a AmazonMQ (RabbitMQ) queue, using private subnets and VPC endpoints does not work.
POC Goal
I'm doing this POC:
An AmazonMQ (RabbitMQ) in a private subnet and a Lambda triggered by incoming messages to the queue.
Disclaimer
All I'll state here is what I'm learning, any correction will be appreciated.
On networking
Since Amazon MQ is an AWS-managed service, it runs in its own network. So, when we ask AWS to place the broker in a subnet a network interface is created for this broker in the subnet, giving the broker access and reachability in the subnet.
Something similar goes for Lambda, the network interface gives lambda access to the subnet. But to invoke this lambda, since the invoking endpoints live outside our subnet, there is a need of creating a VPC endpoint exposing the lambda endpoints inside the subnet.
The other option is to grant broker with public access (creating public nats) so the broker can reach the public lambda endpoints.
The problem
Simply it doesn't work with VPC endpoints option (it does with the public NATs).
Here is the code I'm using: https://gitlab.com/templates14/terraform-templates/-/tree/master/lambda_rabbitmq_trigger
If you want to test just change the AWS account here:
# here using an AWS profile of my own, change it
provider "aws" {
region = "us-east-1"
profile = "myown-terraform"
}Analysis
As far as I can tell, the broker and lambda have their network interfaces in the same subnet, the security groups are OK (they allow the needed traffic), and the VPC endpoint is created. But the event mapping (aka the-trigger, created manually or using terraform) never can complete the configuration.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
正如 @jarmod 提到的(感谢这一点),我错过了 STS 和 SecretsManager 的 VPC 端点。
基本上,解决方案是可以的,但必须添加以下内容:
这是最终的图表:
如果您想使用它,请使用以下代码:https://gitlab.com/templates14/terraform-templates/-/tree/主/lambda_rabbitmq_trigger
As @jarmod mentioned (thanks for this), I missed the VPC endpoints for STS and SecretsManager.
Basically, the solution was ok, but this had to be added:
This is the final diagram:
Here's the code if you want to play with it: https://gitlab.com/templates14/terraform-templates/-/tree/master/lambda_rabbitmq_trigger