10

I created one VPC 10.5.0.0/16 with 2 subnets (10.5.1.0/24, 10.5.4.0/24).

I created a security security group:

Inbound rules:

Type Protocol   Port   range   Source      Description - optional
All  traffic    All    All    0.0.0.0/0    allowing traffic from same security group
All  traffic    All    All    ::/0         allowing traffic from same security group

Outbound rules:

Type Protocol   Port   range   Source      Description - optional
All  traffic    All    All    0.0.0.0/0    allowing traffic from same security group
All  traffic    All    All    ::/0         allowing traffic from same security group

Now I created 2 Lambda functions with proper IAM Role (which contains invoke policy). These 2 Lambda functions are in same VPC, subnets and security groups.

Case 1:

  • I am able to invoke Lambda 2 from Lambda 1 successfully when the Lambda functions are not attached with VPC subnets and security groups

Case 2:

  • I am not able to invoke Lambda 2 from Lambda 1 when these are in same VPC

I think I am missing something but i can't figure out it. Any suggestions?

Improve this question
2
  • Why are the Lambda functions connected to a VPC? Are they accessing other resources in the same VPC? Commented Jun 7, 2020 at 2:23
  • no just iam trying to testing how vpc is work. but in future i will create lambda function which is going to get data from redsift which is another vpc (here i will do vpc peering ) Commented Jun 7, 2020 at 4:47

5 Answers 5

Reset to default
12

i think iam missing something but i can't figure out it

Unfortunately, the only way to invoke lambda is through a public lambda service endpoint. Since lambda function in a VPC does not have internet access nor public IP, you can't invoke one lambda function from other one in VPC, without access to the internet. From docs:

Connecting a function to a public subnet does not give it internet access or a public IP address.

The fact that they are in the same VPC or even same subnet is irrelevant sadly.

To rectify the issue the invoking function must have access to the internet, since lambda service does not have VPC interface endpoint. This can be achieved by placing it in a private subnet and using NAT gateway/instance with correctly configured route tables to provide the access.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I believe this information is no longer correct, AWS now offers a VPC endpoint for their Lambda service as well.
5

It turns out after introduction of AWS PrivateLink for AWS Lambda, its possible to invoke one lambda from another, with both of them on a VPC, that does not need internet access.

Some nice tutorials can be found here (must read):

Here's what is did that worked (there might be redundant steps, but it worked):

  1. Created a new Security Group (sg-abc) and assigned it to both the lambdas
  2. Modified the default SG and allowed inbound traffic from sg-abc on All Traffic, also modified sg-abc to allow All Trafic from default SG
  3. Created a new Endpoint of com.amazonaws.ap-south-1.lambda (use your preferred location) and assigned the default SG and sg-abc both.
  4. Modified my first Lambda's Resources to allow lambda:Invoke (i'm using serverless.yml)
  5. Thats it ! i was now able to invoke one lambda from another ! without needing to setup NAT, IGW and stuff. It's so much easier this way
Improve this answer

Comments

2

Lambdas inside VPC without a NAT gateway don't have internet access. Invoking lambda function requires the caller being able to connect to AWS APIs. This typically means that the caller needs to have internet access. While the exceptions are the services that support VPC endpoints, in this case, caller inside the VPC can connect to service APIs privately. Unfortunately, lambda isn't one of the services that support VPC endpoints.

Improve this answer

Comments

1

Regarding the Security Groups...

Calls made to invoke an AWS Lambda function are made to the AWS Lambda service, which lives on the Internet.

If Lambda-1 invokes Lambda-2, there is no need for them to be in the same VPC and there is no need for them to be accessible to each other via a Security Group.

In fact, the normal security group configuration for security groups on AWS Lambda functions are:

  • Inbound: No inbound rules are required because functions are invoked by the AWS Service. Nothing connects 'to' an AWS Lambda function.
  • Outbound: It is normal to permit all outbound traffic because you can 'trust' your own code.

Example

Let's say that you have an AWS Lambda function calling an Amazon RDS database. The configuration would be:

  • A security group on the Lambda function (Lambda-SG) with no inbound rules, default outbound rules (All Traffic)
  • A security group on the RDS database (RDS-SG) that permits all inbound connections from Lambda-SG and default outbound rules (All Traffic)

This means that the Lambda function can communicate with the RDS database (since RDS-SG specifically references Lambda-SG) but nothing else would be permitted to access the RDS database.

Improve this answer

Comments

0

I have had same issue. We have 2 lambdas running in same VPC , with same Subnets and same Route table. Still Lambda1 was unable to call Lambda2. While going through this post i realized that invoke permission is the issue. So I created invoke function permission in Lambda2 (Service being called) as below. Lambda - Permissions - Resource-based Policy statements -> Add permissions - for AWS Service -> in that for "service" i selected API Gateway and in the "Source ARN" entered ARN of the Lambda2 (Service being called).

And it worked.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.