我在AWS帐户a上的VPC中有一个AWS lambda函数,该函数与AWS帐户B上包含DAX集群的VPC具有对等连接。当我试图从lambda连接到DAX集群时,我得到了以下错误。
2021-12-17T17:29:34.096Z 279f4ed8-a6ea-4f50-b1d7-31c307cc3f30 ERROR Failed to pull from my-cluster.v3fh7d.dax-clusters.us-east-1.amazonaws.com (11.0.225.143): TimeoutError: ConnectionException: Connection timeout after 10000ms
at SocketTubePool.alloc (/var/task/node_modules/amazon-dax-client/src/Tube.js:244:64)
at /var/task/node_modules/amazon-dax-client/generated-src/Operations.js:215:30 {
time: 1639762164096,
code: 'ConnectionException',
retryable: true,
requestId: null,
statusCode: -1,
_tubeInvalid: false,
waitForRecoveryBeforeRetrying: false
}
我的lambda代码的相关部分在这里。
let assumedRole;
const sts = new AWS.STS({ region: "us-east-1" });
const params = {
RoleArn:
"arn:aws:iam::<account-b>:role/role-to-access-dax",
RoleSessionName: "testAssumeRoleSession" + Date.now().toString(),
DurationSeconds: 3600,
};
try {
assumedRole = await sts.assumeRole(params).promise();
} catch (error) {
console.log("Failed getting sts assume role: " + error);
}
const dax = new AmazonDaxClient({
endpoint:
"dax://my-cluster.v3fh7d.dax-clusters.us-east-1.amazonaws.com",
region: "us-east-1",
accessKeyId: assumedRole.Credentials.AccessKeyId,
secretAccessKey: assumedRole.Credentials.SecretAccessKey,
sessionToken: assumedRole.Credentials.SessionToken,
httpOptions: { timeout: 150000 },
maxRetries: 1,
});
const dynamodb = new AWS.DynamoDB.DocumentClient({ service: dax });
try {
const params = {
Key: {
userid: requestData.userid,
},
TableName: "my-users-table",
};
const result = await dynamodb.get(params).promise();
if (result.Item == undefined || result.Item == null) {
return createResponse(401, "Unauthorized");
}
return createResponse(200, JSON.stringify(result.Item));
} catch (error) {
return createResponse(500, error);
}
角色arn:aws:iam::<account-b>:role/role-to-access-dax具有以下权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dax:GetItem",
"dax:BatchGetItem",
"dax:Query",
"dax:Scan",
"dax:PutItem",
"dax:UpdateItem",
"dax:DeleteItem",
"dax:BatchWriteItem",
"dax:ConditionCheckItem"
],
"Resource": "arn:aws:dax:us-east-1:<account-b>:cache/my-cluster"
}
]
}
以及以下信任关系。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-a>:root"
},
"Action": "sts:AssumeRole"
}
]
}
DAX集群具有策略AmazonDynamoDBFullAccess。
对等连接在AWS控制台中显示为Active。
DAX集群的安全组有一个入站规则,允许端口8111上的TCP流量来自源<account-a> / <sg-of-lambda>。
账户A VPC的CIDR为10.0.0.0/24,账户B VPC的CID为11.0.0.0/16。
账户A VPC的主路由表具有将目的地11.0.0.0/16的流量引导到对等连接的路由。同样,账户B VPC的主路由表具有将具有目的地10.0.0.0/24的流量引导到对等连接的路由。
顺便说一句,lambda代码中的以下几行似乎被忽略了,因为DAX请求上有相当多的重试,并且超时时间没有从10000毫秒改变。
httpOptions: { timeout: 150000 },
maxRetries: 1,
我在AWS代表的帮助下解决了这个问题。事实证明,我在VPC中需要一个包含lambda的公共和私有子网。lambda本身必须位于私有子网中,而公共子网包含NAT网关和互联网网关。我需要两个子网的单独路由表,而不是VPC中的单个路由表。私有路由包含对等连接路由和VPC CIDR路由,就像我在问题中提到的那样,但也包含以NAT网关为目标的目的地0.0.0.0/0的路由。公用子网路由表包含VPC CIDR路由,以及以互联网网关为目标的目的地为0.0.0.0/0的路由。