Cloudformation for lambda 访问互联网导致超时
Cloudformation for lambda accessing internet results in timeout
我有一个 cloudformation 模板:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"SourcePackageName": {
"Type": "String"
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
},
"PublicSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.0.0/24"
},
"DependsOn" : "VPC"
},
"PrivateSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.1.0/24"
},
"DependsOn" : "VPC"
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"AttachGateway": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"InternetGatewayId": {
"Ref": "InternetGateway"
}
},
"DependsOn" : "InternetGateway"
},
"PublicRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
},
"DependsOn" : "VPC"
},
"PrivateRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
},
"DependsOn" : "VPC"
},
"PublicRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PublicRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
}
},
"DependsOn": ["AttachGateway", "PublicRouteTable", "InternetGateway"]
},
"PrivateRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "NatGateway"
}
},
"DependsOn": ["AttachGateway", "PublicRouteTable", "NatGateway"]
},
"NatGateway": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"ElasticIp",
"AllocationId"
]
},
"SubnetId": {
"Ref": "PublicSubnet"
}
},
"DependsOn": ["PublicSubnet", "ElasticIp"]
},
"GatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"InternetGatewayId": {
"Ref": "InternetGateway"
}
},
"DependsOn": ["VPC", "InternetGateway"]
},
"ElasticIp": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
},
"DependsOn": "GatewayAttachment"
},
"PublicSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
},
"DependsOn": ["PublicSubnet", "PublicRouteTable"]
},
"PrivateSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet"
},
"RouteTableId": {
"Ref": "PrivateRouteTable"
}
},
"DependsOn": ["PrivateSubnet", "PrivateRouteTable"]
},
"LambdaSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"DependsOn": ["VPC"],
"Properties": {
"GroupName": "Internet Group",
"GroupDescription": "SSH traffic in, all traffic out.",
"VpcId": { "Ref": "VPC" },
"SecurityGroupIngress": [
{
"IpProtocol": -1,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": -1,
"CidrIp": "0.0.0.0/0"
}
],
"Tags": [
{
"Key" : "System",
"Value" : "Feed"
}
]
}
},
"FeedLambdaRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
}],
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
}
},
"FeedLambda": {
"Type": "AWS::Lambda::Function",
"DependsOn": ["VPC", "LambdaSecurityGroup", "PublicSubnet", "FeedLambdaRole"],
"Properties": {
"Code": {
"S3Bucket": "bucket-name",
"S3Key": {
"Fn::Join" : [ "/", [ "directory-name", { "Ref" : "SourcePackageName" }] ] }
},
"FunctionName": "Feed",
"Handler": "java.package.class",
"MemorySize": 128,
"Role": { "Fn::GetAtt" : [ "FeedLambdaRole", "Arn" ] },
"Runtime": "java8",
"VpcConfig": {
"SecurityGroupIds": [
{ "Ref": "LambdaSecurityGroup" }
],
"SubnetIds": [
{ "Ref": "PublicSubnet" }
]
}
}
}
}
}
我的代码在执行非基于 Internet 的代码时可以正确执行,但是当我在代码中添加网络调用时,它会不断导致超时。
我已将超时增加到 10 秒,但没有解决。
如有任何帮助,我们将不胜感激。
我使用了这里的模板:
您已将 Lambda 函数放置在 public 子网中。 VPC 内的 Lambda 函数必须使用 NAT 网关来访问 Internet(以及 VPC 外的任何其他内容,例如 AWS API)。 NAT 网关连接到私有子网。您需要更改配置以将 Lambda 函数部署到私有子网中。
或者,如果您的 Lambda 函数实际上不需要访问 VPC 中的任何内容,那么您可以将其保留在 VPC 之外,它将可以访问 Internet。将 Lambda 函数添加到 VPC 会使冷启动变慢并且没有任何好处,除非您确实需要它来访问 VPC 资源。
我有一个 cloudformation 模板:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"SourcePackageName": {
"Type": "String"
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
},
"PublicSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.0.0/24"
},
"DependsOn" : "VPC"
},
"PrivateSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.1.0/24"
},
"DependsOn" : "VPC"
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"AttachGateway": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"InternetGatewayId": {
"Ref": "InternetGateway"
}
},
"DependsOn" : "InternetGateway"
},
"PublicRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
},
"DependsOn" : "VPC"
},
"PrivateRouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
},
"DependsOn" : "VPC"
},
"PublicRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PublicRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
}
},
"DependsOn": ["AttachGateway", "PublicRouteTable", "InternetGateway"]
},
"PrivateRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "PrivateRouteTable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "NatGateway"
}
},
"DependsOn": ["AttachGateway", "PublicRouteTable", "NatGateway"]
},
"NatGateway": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"ElasticIp",
"AllocationId"
]
},
"SubnetId": {
"Ref": "PublicSubnet"
}
},
"DependsOn": ["PublicSubnet", "ElasticIp"]
},
"GatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"InternetGatewayId": {
"Ref": "InternetGateway"
}
},
"DependsOn": ["VPC", "InternetGateway"]
},
"ElasticIp": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
},
"DependsOn": "GatewayAttachment"
},
"PublicSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PublicSubnet"
},
"RouteTableId": {
"Ref": "PublicRouteTable"
}
},
"DependsOn": ["PublicSubnet", "PublicRouteTable"]
},
"PrivateSubnetRouteTableAssociation": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivateSubnet"
},
"RouteTableId": {
"Ref": "PrivateRouteTable"
}
},
"DependsOn": ["PrivateSubnet", "PrivateRouteTable"]
},
"LambdaSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"DependsOn": ["VPC"],
"Properties": {
"GroupName": "Internet Group",
"GroupDescription": "SSH traffic in, all traffic out.",
"VpcId": { "Ref": "VPC" },
"SecurityGroupIngress": [
{
"IpProtocol": -1,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": -1,
"CidrIp": "0.0.0.0/0"
}
],
"Tags": [
{
"Key" : "System",
"Value" : "Feed"
}
]
}
},
"FeedLambdaRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
}],
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
}
},
"FeedLambda": {
"Type": "AWS::Lambda::Function",
"DependsOn": ["VPC", "LambdaSecurityGroup", "PublicSubnet", "FeedLambdaRole"],
"Properties": {
"Code": {
"S3Bucket": "bucket-name",
"S3Key": {
"Fn::Join" : [ "/", [ "directory-name", { "Ref" : "SourcePackageName" }] ] }
},
"FunctionName": "Feed",
"Handler": "java.package.class",
"MemorySize": 128,
"Role": { "Fn::GetAtt" : [ "FeedLambdaRole", "Arn" ] },
"Runtime": "java8",
"VpcConfig": {
"SecurityGroupIds": [
{ "Ref": "LambdaSecurityGroup" }
],
"SubnetIds": [
{ "Ref": "PublicSubnet" }
]
}
}
}
}
}
我的代码在执行非基于 Internet 的代码时可以正确执行,但是当我在代码中添加网络调用时,它会不断导致超时。
我已将超时增加到 10 秒,但没有解决。
如有任何帮助,我们将不胜感激。
我使用了这里的模板:
您已将 Lambda 函数放置在 public 子网中。 VPC 内的 Lambda 函数必须使用 NAT 网关来访问 Internet(以及 VPC 外的任何其他内容,例如 AWS API)。 NAT 网关连接到私有子网。您需要更改配置以将 Lambda 函数部署到私有子网中。
或者,如果您的 Lambda 函数实际上不需要访问 VPC 中的任何内容,那么您可以将其保留在 VPC 之外,它将可以访问 Internet。将 Lambda 函数添加到 VPC 会使冷启动变慢并且没有任何好处,除非您确实需要它来访问 VPC 资源。