我正在尝试从VPC内的lambda函数访问VPC外部的运动流。当前,当执行要写入Kinesis流的代码时,它将悬挂然后超时。当我将lambda从VPC中取出时,代码写入流时可以正常工作。但是我需要访问VPC中的资源,然后写入流。有人知道怎么修这个东西吗?
这是我的功能,它在VPC
中functions:
handleChanges:
handler: functions/handlers.handleChanges
timeout: 10
package:
include:
- functions/utils/**
events:
- http:
method: POST
path: "/"
integration: lambda
vpc:
securityGroupIds:
- ${file(./private.yml):variables.securityGroup}
subnetIds:
- ${file(./private.yml):variables.subnetID}
这是我的政策
iamRoleStatements:
- Effect: "Allow"
Action:
- "kinesis:PutRecord"
- "kinesis:GetRecords"
- "kinesis:GetShardIterator"
- "kinesis:DescribeStream"
- "kinesis:ListStreams"
Resource:
Fn::GetAtt:
- KinesisStream
- Arn
- Effect: "Allow"
Action:
- "cognito-idp:AdminGetUser"
Resource: "*"
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "ec2:CreateNetworkInterface"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DeleteNetworkInterface"
Resource: "*"
最后,这是我的运动流资源
KinesisStream:
Type: AWS::Kinesis::Stream
Properties:
Name: ${self:provider.environment.STREAM_NAME}
ShardCount: 1
唯一的解决方案是向您的VPC添加NAT网关(或NAT实例),以便驻留在私有子网中的Lambda函数之类的资源将可以访问VPC之外的资源。
不需要nat,您也可以使用VPC端点:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html这就是对运动的方法:https://docs.aws.amazon.com/streams/latest/dev/vpc.html
为我工作:)并便宜。确保设置正确的安全组(私有VPC的SG,而不是默认VPC)
如果您会阅读NAT定价文档,他们也建议这样做:https://aws.amazon.com/vpc/pricing/最后阅读注释:
Note: To avoid the NAT Gateway Data Processing charge in this example, you could setup a Gateway Type VPC endpoint and route the traffic to/from S3 through the VPC endpoint instead of going through the NAT Gateway. There is no data processing or hourly charges for using Gateway Type VPC endpoints. For details on how to use VPC endpoints, please visit VPC Endpoints Documentation.