如何从 Lambda 函数访问本地 HTTP 服务?
我创建了一个由 API 网关请求触发的 javascript lambda 函数。我已经从我的前端对其进行了测试,它运行良好(托管在 AWS 外部)。
但是,在我的函数中,我需要从本地网络调用 HTTP 服务作为 API 调用。我已经通过我的机器上的本地 VPN 连接测试了该服务,它的效果非常好。阅读 AWS 文档后,我得出的结论是,我需要将 lambda 配置为在 VPC 内运行并将该 VPC 连接到站点到站点 VPN。
我创建了站点到站点 VPN,隧道已正常运行。我为我的本地网络创建了客户端网关,并为我的 AWS 网络创建了虚拟专用网关。我选中了该框以将我在创建 VPN 时声明的本地 IP 前缀传播到路由表。 (我知道 IP 前缀是我需要到达的本地 IP 端点。例如,假设我的服务托管在 172.31.0.2 和 172.31.15.22 中,因此我将它们声明为 /32,因为它们是单个 IP 地址AWS 要求我提供 CIDR。)
我还创建了我的 VPC,将其关联到 VPN 并声明了一个子网。网络管理员为我提供了一个 CIDR 范围作为我们的 AWS 服务的路由选项(假设为 172.31.50.160/29),因此我将 VPC CIDR 声明为 172.21.0.0/16,将子网声明为 172.31.50.160/28。我还确保 lambda 配置指定了我新创建的 VPC 和子网以及安全组。
虽然我的前端仍然可以毫无问题地调用 lambda,但我似乎无法访问本地网络。我总是收到 ENOTFOUND 错误,因此我认为这意味着 API 调用未通过 VPN 隧道,因为该服务只能通过隧道访问。所以我猜这很可能是路由错误。但是,我不确定如何解决它。
我的路由表显示传播的 IP 和虚拟专用网关作为其目的地,以及目的地为本地的 172.31.0.0/16。我想这可能是路由错误,也许我错误地将 CIDR 范围设置为 VPC 范围。
我还尝试将 cloudwatch 日志记录添加到 VPC 以检查流量,但没有记录任何内容,它总是显示为空。我确保为此使用的 IAM 角色具有 cloudwatch 权限,认为这可能是问题所在,但即使之后日志也是空的。
正如您所看到的,我只有关于网络的非常基本知识,因此非常感谢您的帮助!
TL;DR
目标:允许我的 lambda 函数访问本地计算机中的本地服务。
预期结果:将 lambda 连接到与正在运行的 VPN 关联的 VPC 后,我的 lambda 将能够访问本地计算机。
实际结果: lambda 无法找到本地计算机(getaddrinfo ENOTFOUND 错误),似乎流量没有通过 VPN 隧道。
I've created a javascript lambda function that is triggered by an API gateway request. I've tested it from my frontend and it works fine (hosted outside AWS).
However, from my function I need to call an HTTP service from my on-prem network as an API call. I've tested the service through a local VPN connection in my machine and it works like a charm. Reading through the AWS documentation, I reached to the conclusion that I needed to configure my lambda to run inside a VPC and to connect that VPC to a site-to-site VPN.
I created the site-to-site VPN and the tunnels are up without issues. I created the client gateway for my on-prem network and also a Virtual Private Gateway for my AWS network. I checked the box to propagate to the routing table the on-prem IP prefixes I declared while creating the VPN. (I understand the IP prefixes are the on-prem IP endpoints I need to reach. For example let's say my services are hosted in 172.31.0.2 and 172.31.15.22, so I declared them as /32 since they're a single IP address and AWS asked me for a CIDR.)
I also created my VPC, associated it to the VPN and declared a subnet. The network admin gave me a CIDR range as routing option for our AWS services (let's say 172.31.50.160/29) so I declared the VPC CIDR as 172.21.0.0/16 and the subnet as 172.31.50.160/28. I also made sure lambda configurations specified my newly created VPC and subnet as well a security group.
While my frontend can still call the lambda without problems, I can't seem to reach the on-prem network. I always receive an ENOTFOUND error, so I assume this means the API call isn't going through the VPN tunnel, as the service is only reachable through the tunnel. So I'm guessing it's most likely a routing error. However, I'm not sure how to solve it.
My routing table shows the propagated IPs and the Virtual Private Gateway as their destination, as well as the 172.31.0.0/16 with the destination as Local. I imagine it could be a routing error, maybe I made a mistake setting that CIDR range as the VPC range.
I also tried adding cloudwatch logging to the VPC to check the traffic but nothing is logged, it always comes up empty. I made sure the IAM role I used for this had cloudwatch permissions, thinking that might be the issue, but even after that the logs are empty.
As you can see I have only very basic knowledge about networks, so any help is appreciated!
TL;DR
Goal: To allow my lambda function to access an on-prem service in a local machine.
Expected results: After connecting the lambda to a VPC that's associated to a running VPN, my lambda would be able to reach the local machine.
Actual results: The lambda is unable to locate the local machine (getaddrinfo ENOTFOUND error), seems as if the traffic is not going through the VPN tunnel.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
事实证明,如果没有公共 NAT 网关和正确的路由,lambda 就无法直接访问互联网,同样,如果没有私有 NAT 网关,lambda 也无法通过 VPN 访问本地计算机。
因此,我使用本地网络管理员提供的 CIDR 范围在 VPC 中创建了一个私有子网。然后,我将本地计算机的请求路由到私有 NAT 网关。此私有子网的路由表将我的流量定向到虚拟专用网关,这样我就能够访问本地计算机。
摘要
完成后,您应该能够将 HTTP 请求从 lambda 发送到您的本地服务器。
Turns out that the same way that lambda cannot directly access the internet without a public NAT gateway and the right routing, lambda cannot access on-prem machines through the VPN without a private NAT gateway.
So I created a private subnet in my VPC, using the CIDR range the on-prem network administrator gave me. Then I routed my requests to the on-prem machines to the private NAT gateway. The routing table for this private subnet directed my traffic flow to the Virtual Private Gateway and in this way I was able to reach the on-prem machines.
Summary
And done, you should be able to send HTTP requests from your lambda to your on-prem servers.