I am struggling to enable an AWS lambda to send HTTPS POST requests to an AWS elastic beanstalk service.
The elastic beanstalk provides web and web services and works nicely.
The lambda is doing some calculations with AWS elasticache (works well) and then decides if to send HTTPS POST to the beanstalk URL.
The lambda is written with node.js. About 2 minutes after the POST attempt I am getting this timeout:
[Error: connect ETIMEDOUT X.Y.Z.W:443] code: 'ETIMEDOUT', errno: 'ETIMEDOUT', syscall: 'connect', address: 'X.Y.Z.W', port: 443
I see no indication of a request in the elastic bean nginx access log.
So my understanding is that the security groups are not set correctly.
I ruled out the option that the elastic beanstalk prevents such connections - The lambda is using a url with an external domain name that can be used from any browser and that works fine.
So I am left with the conclusion that the lambda security prevents this connection. So - I opened up the lambda security group completely to "All traffic" from anywhere - and I still get this problem.
Any ideas?
You are running your Lambda function within your VPC, which is required to access your ElastiCache servers. However once you place a Lambda function into a VPC it no longer has access to anything outside the VPC. You are trying to hit the Elastic Beanstalk server via a public (Internet) address, which the Lambda function does not have access to. Thus you are getting network connection timeouts.
You need to configure your Lambda function to access the service via an internal VPC address. And you need to configure your Elastic Beanstalk Security Group to allow access from the Lambda Security Group (if you haven't already).
Alternatively, you could add a NAT Gateway to your VPC, which would give your Lambda function access to resources outside the VPC.
Related
I am working on serverless node basic application which has the basic function of CRUD operation with mysql. The mysql is created in the RDS Mysql and assigned to the public, In local system its connected and working fine, After the deploying serverless deploy, I am getting an error as Handshake inactivity timeout in response body.
Note: I used the serverless deploy and RDS MySQL in same AWS account.
Even if both are deployed in the same account, and the RDS is public, the lambda might be deployed in a private subnet that does not have internet access. Without seeing your serverless deployment script, my guess is you may have to configure the correct security groups and subnets for your lambda function to be able to connect to this public database.
Here's a medium article that may help with the setup. Under the vpc configuration of your lambda function, you may have to modify the following.
provider:
name: aws
stage: prod
runtime: nodejs6.10
region: us-east-1
vpc:
securityGroupIds:
- HERE_YOUR_SECURITY_GROUP
subnetIds:
- HERE_YOUR_SUBNET_1
- HERE_YOUR_SUBNET_2
- HERE_YOUR_SUBNET_3
environment:
MYSQLHOST: 'xxxxx.rds.amazonaws.com'
MYSQLPORT: 'xxx'
MYSQLUSER: 'xxx'
MYSQLPASS: 'xxxxx'
MYSQLDATABASE: 'xxxx'
I am writing an AWS Lambda function to connect to a MySQL instance running on EC2. I have associated the Lambda function with the same subnet and security group that the EC2 is configured in. I checked the Lambda function's IAM roles and that has AWSLambdaVPCAccessExecutionRole policy attached to it. However I am still not able to connect to the MySQL instance.
I tried allowing traffic from anywhere and that worked but now I am not sure how to connect to the MySQL instance with stricter security rules.
I am using Kotlin to write my lambda function and using serverless to deploy changes to lambda.
I have tried every possible solution available online to make this happen but I haven't had any positive results yet.
You have associated the Lambda function with the same security group. But just that would not do. You also need to add an ingress rule to allow traffic to the security group from itself. Basically, you need to self reference the security group.
Add a rule to allow traffic on the mysql port from sg-xxxxxxxx.
I have an application running on EC2 instances that store data in an RDS instance. All of these instances are in an AWS VPC with security groups configured to allow them to connect to each other.
For reporting purposes, I would like to connect to the RDS instance from my laptop (e.g. using SQLAlchemy) to run simple queries. Every time I try to connect using the connection string that the EC2 apps use, the connection times out.
For Google, one can use the Cloud SQL proxy for this, but I can't find an analogous product for AWS. Instead, it seems like what I am supposed to do is attach an internet gateway to the VPC and configure the security groups to allow connection from my machine. However, the documents are unclear on how to do this other than allowing all inbound connections or allowing a static IP. Unfortunately my laptop doesn't have a static IP, and I'm uncomfortable allowing all inbound connections as it seems insecure and an invitation to attacks. I also have not been able to find a way to configure a security group to allow connections based on IAM credentials for example using the AWS CLI. Since I will be routinely generating reports, a solution that involves updating a security group (i.e. allowing my current IP) every time I want to connect seems suboptimal.
I have tried following the following documents, but so far have had no success in finding a solution that does not allow all connections:
Allow users to connect to RDS using IAM*
Connecting to RDS instance from command line
Connecting to RDS on VPC from internet
*My RDS instance configuration does not allow me to enable IAM authentication, I'm not sure why
IAM Database Authentication is not supported for the configuration in the DB Instance db.
Modify your Db Instance to another instance class and try again.
(Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterCombination;
Request ID: a6194fb8-2ab9-4a6a-a2be-63835e6e0184)
Is there something I'm not understanding or overlooking? Is allowing connections from all IPs not a big deal since the DB instance is still secured by DB user credentials?
Select this connection as per screenshot. Then fill up all details use your nat instance .pem file to connect. Its like you are connecting to VPC through Nat gateway or Internet gateway bypassing this.
Another option to install VPN on VPC and connect.
I've recently created a Mule application (3.7.0 CE) on a laptop. I'm connected to an AWS RDS instance when running locally in AnyPoint Studio using Maven. I started with a local MySQL DB and migrated it to AWS because my application "proofofconcept" is just that a proof of concept and I would like to show the application online (public url) instead of my laptop for a presentation. I added the database.url=... property to the application properties when I deployed to Anypoint Runtime Manager in the cloud. I'm currently getting a:
communications link failure
I've tried several things and nothing has worked. I tried a basic database connection first in the database config. And, then I created a JDBC datasource in Spring-beans. Both methods worked locally and in-communication with AWS (remote). When I deploy to Runtime Manager, the application deploys. And, I get the console that's generated runtime by the RAML. When I call a url e.g. api/v1/orders it runs and runs and after timeout provides the communication error.
Does anyone 1) know if the communication is allowed? 2) know how to fix this? I would like to demo the POC online for my client.
Thanks in advance
My issue was with Amazon VPC and the default security group assigned to my RDS instance. By default all outbound activity is set to any protocol and any port for any ip (0.0.0.0/0). Inbound routing, however was specifying only port 3306 but also a custom using-ip that was my home network public ip. I changed the ip specification to be 0.0.0.0/0. This now mean's that any ip can send a request though port 3306 to my Amazon MySQL instance.
I have an elastic beanstalk setup but the url that's listed in the environment is not accessible, whereas if I point to the url of the load balancer I can access it.
Any suggestions ?
Attach the LoadBalancer security group to the instance. For me it worked. I found ELB has different security group that is not attached to instance.
Or you can create one Security Group with HTTP port 80 open and attach it to ELB and Instance from the beanstalk configuration
Go to Elastic Beanstalk configuration then go to VPC settings. Check the "Associate Public IP Address". Then it worked for me.