如何让我的VPC通过cloudformation访问互联网?

How can I let my VPC have access to the internet via cloudformation?

我有一个 VPC 设置,我的 lambda 函数可以与我的 RDS 服务器通信。这是工作。我还需要我的 lambda 函数才能访问互联网。为此,我正在尝试设置一个互联网网关和允许它的路由。我失败了。

VPC路由和网关创建如下

"VPC": {
  "Type": "AWS::EC2::VPC",
  "Properties": {
    "CidrBlock": "10.0.0.0/16",
    "EnableDnsSupport": "true",
    "EnableDnsHostnames": "true",
    "InstanceTenancy": "default",
    "Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
  }
},

"VPCRouteTable" : {
   "Type" : "AWS::EC2::RouteTable",
   "Properties" : {
      "VpcId" : { "Ref" : "VPC" },
      "Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
   }
},

"InternetGateway" : {
   "Type" : "AWS::EC2::InternetGateway",
   "Properties" : {
   "Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
   }
},

"AttachGateway": {
   "Type" : "AWS::EC2::VPCGatewayAttachment",
   "Properties" : {
      "VpcId" : { "Ref" : "VPC" },
      "InternetGatewayId" : { "Ref" : "InternetGateway" }
   }
},

"InternetRoute" : {
   "Type" : "AWS::EC2::Route",
   "DependsOn" : "InternetGateway",
   "Properties" : {
      "RouteTableId" : { "Ref" : "VPCRouteTable" },
      "DestinationCidrBlock" : "0.0.0.0/0",
      "GatewayId" : { "Ref" : "InternetGateway" }
   }
},

我创建子网并将它们与路由相关联table

"SubnetA": {
  "Type": "AWS::EC2::Subnet",
  "Properties": {
    "VpcId": { "Ref": "VPC" },
    "CidrBlock": "10.0.0.0/24",
    "AvailabilityZone": { "Fn::Select": [ "0", { "Fn::GetAZs": { "Ref": "AWS::Region" } }]},
    "Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
  }
},

"SubnetB": {
  "Type": "AWS::EC2::Subnet",
  "Properties": {
    "VpcId": { "Ref": "VPC" },
    "CidrBlock": "10.0.1.0/24",
    "AvailabilityZone": { "Fn::Select": [ "1", { "Fn::GetAZs": { "Ref": "AWS::Region" } }]},
    "Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
  }
},

"SubnetARouteTableAssociation" : {
   "Type" : "AWS::EC2::SubnetRouteTableAssociation",
   "Properties" : {
      "SubnetId" : { "Ref" : "SubnetA" },
      "RouteTableId" : { "Ref" : "VPCRouteTable" }
   }
},

"SubnetBRouteTableAssociation" : {
   "Type" : "AWS::EC2::SubnetRouteTableAssociation",
   "Properties" : {
      "SubnetId" : { "Ref" : "SubnetB" },
      "RouteTableId" : { "Ref" : "VPCRouteTable" }
   }
},

我有数据库安全组

"DBSubnetGroup": {
  "Type": "AWS::RDS::DBSubnetGroup",
  "Properties": {
    "DBSubnetGroupDescription": "Database Access",
    "SubnetIds" : [{ "Ref": "SubnetA" }, { "Ref": "SubnetB" }],
    "Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
  }
},

"DBEC2SecurityGroup": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Security group for RDS DB Instance",
    "VpcId": {"Ref": "VPC"},
    "SecurityGroupIngress" : [{
      "IpProtocol": "tcp",
      "FromPort": "3306",
      "ToPort": "3306",
      "CidrIp": "10.0.0.0/16"
    }],
    "Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
  }
},

和 lambda 安全组

"LambdaSecurityGroup": {
  "Type": "AWS::EC2::SecurityGroup",
  "Properties": {
    "GroupDescription": "Security group for Lambda",
    "VpcId": {"Ref": "VPC"},
    "Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
  }
},

就目前而言,我的 lambda 可以很好地与数据库对话。但他们无法访问互联网。我错过了什么?

如果您的 lambda 函数需要访问您的 VPC 资源和 Internet,请创建 2 个子网:public 和私有子网。将您的 lambda 放在私有子网中并在 public 子网中配置 NAT。

来自http://docs.aws.amazon.com/lambda/latest/dg/vpc.html

Therefore, if your Lambda function requires Internet access (for example, to access AWS services that don't have VPC endpoints, such as Amazon Kinesis), you can configure a NAT instance inside your VPC or you can use the Amazon VPC NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide.