Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?

How to setup AWS lambda function to talk to the internet and VPC

I'm going to walk you through the steps for setting up a AWS Lambda to talk to the internet and a VPC. Let's dive in.

So it might be really unintuitive at first but lambda functions have three states.

  1. No VPC, where it can talk openly to the web, but can't talk to any of your AWS services.
  2. VPC, the default setting where the lambda function can talk to your AWS services but can't talk to the web.
  3. VPC with NAT, The best of both worlds, AWS services and web.

I'm gonna walk you through the steps to set up number 3.

Note: This tutorial isn't exactly in order of steps, you may need to create one thing (subnet, nat, route table) then go back into the settings for something previously created and edit it to use a newly thing.

Creating Subnets

VPC Dashboard > Subnets

This is what I had to start with, my existing vpc that I wanted to connect to already had 4 subnets. Here I noticed I had a couple of subnets already set up. Below is a totally fake ip I pulled from the internet. But the patten of increments of 16 is recreated here.

Note: DO NOT use 131.179.0.0/16 it's just an example.

VPC CIDR
vpc-████████ (131.179.0.0/16) 131.179.0.0/20
vpc-████████ (131.179.0.0/16) 131.179.16.0/20
vpc-████████ (131.179.0.0/16) 131.179.32.0/20
vpc-████████ (131.179.0.0/16) 131.179.48.0/20

Here I created three four new subnets.

VPC CIDR name
vpc-████████ (131.179.0.0/16) 131.179.64.0/20 lambda-subnet-point-to-nat-1
vpc-████████ (131.179.0.0/16) 131.179.80.0/20 lambda-subnet-point-to-nat-2
vpc-████████ (131.179.0.0/16) 131.179.96.0/20 lambda-subnet-point-to-nat-3
vpc-████████ (131.179.0.0/16) 131.179.112.0/20 lambda-subnet-point-to-igw

Note: Here igw stands for Internet Gateway and nat stands for network address translation gateway (NAT Gateway).

Three of them will point to the nat and one points to the igw.

Let's create the Route Tables now.

Creating Route Tables

VPC Dashboard > Route Tables

Your going to want to set up two Route Tables.

One that points to your nat let's call this lambda-rt-to-nat:

Destination Target
131.179.0.0/16 local
0.0.0.0/0 nat-█████████████████

One that points to your igw let's call this lambda-rt-to-igw:

Destination Target
131.179.0.0/16 local
0.0.0.0/0 igw-████████

Your gonna want to go into each of the subnet and assign them to their corresponding route table.

subnet name route table name
lambda-subnet-point-to-nat-1 lambda-rt-to-nat
lambda-subnet-point-to-nat-2 lambda-rt-to-nat
lambda-subnet-point-to-nat-3 lambda-rt-to-nat
lambda-subnet-point-to-igw lambda-rt-to-igw

Set your lambda up

Lambda > Functions > my-function > Configuration > Advanced Settings

Now you want to set up your lambda function to use the subnets you created.

Setup your lambda to use your VPC.

VPC

vpc-████████ (131.179.0.0/16)

Here you setup lambda to use the subnets that point directly to your nat.

Subnets*

subnet name
lambda-subnet-point-to-nat-1
lambda-subnet-point-to-nat-2
lambda-subnet-point-to-nat-3

Create a NAT

VPC Dashboard > NAT Gateways > Create NAT Gateway

Your going to want click Create NAT Gateway and set the Subnet* to lambda-subnet-point-to-igw, and Create New EIP.

Fin

That should be it! Your lambda should be able to talk to both the VPS and the web through a NAT! Comment below if you need help or want to clarify anything here!

Links

Shameless SEO terms

  • amazon lambda nat
  • aws lambda vpc web
  • aws lambda rds and web
  • aws lambda rds and http request
  • lambda timeout
  • AWS lambda timeout random vpc

scott2b commented Aug 17, 2016

I am confused about why you have associated the lambda-subnet-point-to-igw subnet with the NAT gateway, rather than the 3 nat subnets

vineus commented Aug 22, 2016

Thank you for the very clear tuto, works like a charm and way clearer than the doc. I used it to answer SO question here: http://stackoverflow.com/a/39082826/219265

@scott2b I think it's because:

  1. The Lambda is in one of the "point to NAT" subnets, and as such points traffic to the NAT
  2. When the NAT gets traffic, it needs something to send it out to the internet with (the IGW). So we put it in the IGW's subnet.

Just want to say thanks for the clear, step by step...we need more AWS docs like this!

This helped me a lot. Thank you!

This fails for me setting up the route tables. It wont let me add another route with the error

There are not any Internet Gateway, Network Interface, or Virtual Private Gateway targets.

mmmnt commented Dec 1, 2016

Thanks man, saved my day :-)

Thank you!!

dparlar commented Dec 14, 2016

This solution works perfectly. Thank you for writing this up :)

Asoul commented Jan 12, 2017

Thank you so so so much!!!!! This work well 👯‍♂️

postme commented Jan 13, 2017

Thank you very much, this really helped me!

JonathanBAdams commented Jan 26, 2017

I'll second leedjones' comment. I don't recall this being a problem the last time I created a VPC. Beside the "Add another route" button, you'll see the warning, "There are not any Internet Gateway, Network Interface, or Virtual Private Gateway targets."

Actually, the problem is suggested in the tutorial, which has us point a route to the nat and igw before having us create the nat (creating the igw is not mentioned.)

I was able to get around this by creating the NAT Gateway before editing the route tables. You'll need to do the same thing for an IGW, and don't forget to attach it to the appropriate VPC before trying to edit the route tables. (Actually, you need to do the IGW first or the NAT Gateway creation fails.)

mp3il commented Jan 30, 2017

Wooha! Thats super useful. thanks!

This helped me out quite a bit. Thank you!

Life saver !!!!!

👍 Thanks!

Dambre commented Mar 13, 2017

OMG, It is working!

eastjavabaker commented Mar 24, 2017

NAT gateway must created first before create new route-tables with destination to NAT gateway

Thanks a lot.

This is probably the best description I’ve seen so far. ~ My Manager

I have followed your instruction here but still my lambda can't send post request to my server, my code is like this https://stackoverflow.com/questions/43998130/send-aws-s3-events-in-cloudwatch-to-my-server-using-lambda-in-java but not sure where it is wrong

Thank you very much!!!

2. VPC, the default setting where the lambda function can talk to your AWS services but can't talk to the web.

This is not correct. AWS services are also on Public Internet so you have NAT Gateway and you can access AWS API's and other Internet resources or you can't connect to none of them.

Thank you!

Awesome tutorial, very clear thanks !!

KMNowak commented Jul 24, 2017

Thank you for this guide. Works perfect!

I had to implement above Lambda VPC setup with Internet access inside a CloudFormation template:

https://gist.github.com/romaninsh/81d4ee778c1e20f709f3518c22521ba4

voho commented Aug 24, 2017

Hi, first - thanks for a great tutorial!!!
Some tips:

  • Could you please add a section on how to test this setup? Maybe simple JS/Python Lambda code?
  • I also second that the NAT must be created just after the subnets, before the routing tables.

WOW. 24 hours later, you life saver
Why is it so hard to find any information on this.

Much much appreciated. Simple instructions, followed easily. Thank you !

Thanks so much. I was struggling to get to get my lambda setup and this helped me understand what my problem was.

You saved another day. Thanks a lot! <3

I'm trying to get my Lambda function to talk to another service that requires whitelisting. Which of these IPs can I give them to whitelist?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment