6

I have set up a VPC with 3 subnets, this to have access to a private RDS instance from my Lambda functions. The RDS <-> Lambda connection works fine, however now I'm not able to publish to SNS.

I found the announcement of VPC Endpoint support for SNS (incl. this blog post https://aws.amazon.com/blogs/security/securing-messages-published-to-amazon-sns-with-aws-privatelink/) and have added a VPC Endpoint Interface with these properties:

Service name: com.amazonaws.eu-west-1.sns
VPC: same as Lambda functions and other services
Subnets: all included in my VPC (have also tested toggling them individually)
Security Groups: all VPC security groups selected

All the services are in the eu-west-1 region. I know the code that publish to SNS is correct, as it works when run in a non-VPC environment. The ARN I'm publishing to has remained unchanged: arn:aws:sns:eu-west-1:962446592636:whatever.

I'm aware that a NAT server could be set up to avoid this issue, but I'd prefer to use VPC Endpoints if possible to reduce costs.

Improve this question

1 Answer 1

Reset to default
5

It works for me!

I did the following:

  • Created an Amazon SNS topic and subscribed to it
  • Created an AWS Lambda function with no VPC configuration, which sends a message to the SNS topic
  • Tested the Lambda function -- message received
  • Created a VPC with a two private subnets
  • Created a Service Endpoint for SNS in the private subnets, with a Security Group allowing All TCP from 0.0.0.0/0 (for testing purposes)
  • Modified the Lambda function to use the private subnets
  • Tested the Lambda function -- message received

So, everything worked fine. I didn't have to modify any Lambda code.

My Lambda code:

def lambda_handler(event, context):
    import boto3

    client = boto3.client('sns', region_name='ap-southeast-2')
    response = client.publish(
        TopicArn='arn:aws:sns:ap-southeast-2:123456789012:stack',
        Message='From Lambda'
        )

    return
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Adding an inbound rule allowing 0.0.0.0/0 on the default VPC Security Group made it work for me as well! I'm not sure why though, do you have any ideas? Why would the VPC require an inbound connection to publish to SNS?
The Service Endpoint for SNS is an Elastic Network Interface sitting within the VPC. It provides network connectivity between the VPC and SNS, much like an ENI provides connectivity between the VPC and an Amazon EC2 instance. The associated Security Group can be used to control inbound connections. It would be best to configure it for the CIDR range of the VPC itself rather than 0.0.0.0/0, to ensure traffic only comes from within the VPC (or even a smaller subset).
@JohnRotenstein. Can you be more specific about how to configure the security group for the CIDR range of the VPC? I mean, tutorial specific. It would help a lot.
@ViniciusCleves Please create a new Question rather than asking via a comment on an old question.
@JohnRotenstein what about allowing HTTPS for the whole SecurityGroup - works for me. Or is this rule too open?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.