//Karthik Srinivasan

Product Engineer, CTO & a Beer Enthusiast
Experiments, thoughts and scripts documented for posterity.

Quirky Personal Projects

LinkedIn

Email me

Enable Outgoing Internet Access within VPC: AWS Lambda

Jan 6, 2017

VPC

Your VPC should have a CIDR Block that looks something like: 192.168.0.0/16, you will need to know this number.

Internet Gateway

For your VPC to have access to the internet it requires an Internet Gateway. You can create one of these by going to Networking and Content Delivery > VPC > Internet Gateway. The only customization to do here is to give it a name.

Subnets

You will need 2 subnets for this solution.  The first is where your Lambda code will be run (you select the subnet to run in under the Lambda configuration, right after you select your VPC). The second subnet will be used as a gateway through which you can direct traffic to the internet.  To create the two subnets, select the subnets field under Networking and Content Delivery > VPC > Subnets. Create two subnets, naming them whatever you want (For Example: LambdaSubnet and PublicAccessSubnet). When you create the subnet you will need to assign a CIDR Block for each. This should be a sub block of your VPC CIDR block. For example, if your VPC CIDR clock is 192.168.0.0/16 then for your Subnets you might pick 192.168.100.0/24 and 192.168.110.0/24. For now, no further customization of these subnets is needed.

Elastic IP

We are also going to need an Elastic IP.  This will be the IP address that the world sees whenever your Lambda function talks to the internet.  To create one go to Networking and Content Delivery > VPC > Elastic IPs and allocate new.  Write down your new IP address for use later.

NAT Gateway

This is the thing they were talking about in their help text on the Lambda configuration page.  We want to build a NAT Gateway inside our Public Subnet (Not the one where the Lambda code will run). To build one of these you go to Networking and Content Delivery > VPC > NAT Gateways and create new. Here you will need to select the Public Subnet and the Elastic IP that you created.

Route Tables

Now we only need to tell each subnet where to send its traffic, and we do this using Route Tables.  The first Route Table we are going to build goes from our Lambda Subnet to the NAT gateway.  To  build this go to Networking and Content Delivery > VPC > Route Tables and create new, naming it whatever you want.  Once the Table is created select it and switch to the Routes tab.  Inside that tab edit the table and add a new route from destination 0.0.0.0/0 (Meaning all traffic) to target <Your NAT gateway>.  Under the Subnet Associations tab click edit and select your Private subnet.

Great, now any traffic leaving your Lambda subnet will be routed to your NAT gateway (using your elastic IP) inside your Public subnet.  Next we will use another route table to tell your public subnet to route the traffic to the Internet Gateway.  Create a new Route Table and this time edit its routes to send destination 0.0.0.0/0 to your Internet Gateway. On this route associate the public subnet.

Security Group

The last step, when configuring your Lambda code, is to add it to a security group that allows outgoing connections.  To create this security group go to Compute > EC2 > Network & Security > Security Groups.  Here, create a new security group and add the outbound rule All Traffic, All Protocols, All ports, Destination 0.0.0.0/0.

This will allow your Lambda code to send out requests (and receive their responses) but not to let inbound connections.

Done

With this all setup your Lambda function should be able to talk to other services inside your VPC while also sending requests out to the internet.