Connecting to SMTP server from AWS Lambda
Clash Royale CLAN TAG#URR8PPP
On my AWS Lambda function, my javascript code times out whenever I try to use nodemailer
to connect to my Amazon SES SMTP server (port 465). However, if I run the script locally, it works fine, which leads me to believe it's either a problem with the lambda dialing out to the SMTP server, or the SMTP server blocking the lambda from connecting -- I suspect the former is the issue.
I am using a firewall behind my Cloudfront distribution, but I don't think this is applied to incoming SES connections or outgoing lambda functions. In VPC, I can see there is an Internet Gateway attached to the instance. The outgoing connections for the Security Group allows all protocols to access 0.0.0.0/0, however, the ACL looks odd in that it's both allowing and rejecting all inbound/outbound connections:
In VPC, I see 6 subnets listed, where it's not very obvious to me what exactly these are doing in the grand scheme of things.
In the logs, I just see Task timed out after 6.01 seconds
Any idea how I can get more information on where the hangup is at?
amazon-web-services amazon-vpc amazon-ses amazon-lambda
add a comment |
On my AWS Lambda function, my javascript code times out whenever I try to use nodemailer
to connect to my Amazon SES SMTP server (port 465). However, if I run the script locally, it works fine, which leads me to believe it's either a problem with the lambda dialing out to the SMTP server, or the SMTP server blocking the lambda from connecting -- I suspect the former is the issue.
I am using a firewall behind my Cloudfront distribution, but I don't think this is applied to incoming SES connections or outgoing lambda functions. In VPC, I can see there is an Internet Gateway attached to the instance. The outgoing connections for the Security Group allows all protocols to access 0.0.0.0/0, however, the ACL looks odd in that it's both allowing and rejecting all inbound/outbound connections:
In VPC, I see 6 subnets listed, where it's not very obvious to me what exactly these are doing in the grand scheme of things.
In the logs, I just see Task timed out after 6.01 seconds
Any idea how I can get more information on where the hangup is at?
amazon-web-services amazon-vpc amazon-ses amazon-lambda
add a comment |
On my AWS Lambda function, my javascript code times out whenever I try to use nodemailer
to connect to my Amazon SES SMTP server (port 465). However, if I run the script locally, it works fine, which leads me to believe it's either a problem with the lambda dialing out to the SMTP server, or the SMTP server blocking the lambda from connecting -- I suspect the former is the issue.
I am using a firewall behind my Cloudfront distribution, but I don't think this is applied to incoming SES connections or outgoing lambda functions. In VPC, I can see there is an Internet Gateway attached to the instance. The outgoing connections for the Security Group allows all protocols to access 0.0.0.0/0, however, the ACL looks odd in that it's both allowing and rejecting all inbound/outbound connections:
In VPC, I see 6 subnets listed, where it's not very obvious to me what exactly these are doing in the grand scheme of things.
In the logs, I just see Task timed out after 6.01 seconds
Any idea how I can get more information on where the hangup is at?
amazon-web-services amazon-vpc amazon-ses amazon-lambda
On my AWS Lambda function, my javascript code times out whenever I try to use nodemailer
to connect to my Amazon SES SMTP server (port 465). However, if I run the script locally, it works fine, which leads me to believe it's either a problem with the lambda dialing out to the SMTP server, or the SMTP server blocking the lambda from connecting -- I suspect the former is the issue.
I am using a firewall behind my Cloudfront distribution, but I don't think this is applied to incoming SES connections or outgoing lambda functions. In VPC, I can see there is an Internet Gateway attached to the instance. The outgoing connections for the Security Group allows all protocols to access 0.0.0.0/0, however, the ACL looks odd in that it's both allowing and rejecting all inbound/outbound connections:
In VPC, I see 6 subnets listed, where it's not very obvious to me what exactly these are doing in the grand scheme of things.
In the logs, I just see Task timed out after 6.01 seconds
Any idea how I can get more information on where the hangup is at?
amazon-web-services amazon-vpc amazon-ses amazon-lambda
amazon-web-services amazon-vpc amazon-ses amazon-lambda
edited Feb 23 at 23:49
iRyanBell
asked Feb 23 at 23:10
iRyanBelliRyanBell
1631519
1631519
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This is expected.
Lambda functions in a VPC can't communicate with the Internet (including the standard service APIs) using an Internet Gateway, because an Internet Gateway requires the internal devices to have associated public IP addresses. Being on a public subnet (where the default route is the Internet Gateway) isn't sufficient.
Important
If your Lambda function needs Internet access, do not attach it to a public subnet or to a private subnet without Internet access. Instead, attach it only to private subnets with Internet access through a NAT instance or an Amazon VPC NAT gateway.
https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
A NAT device -- typically a NAT Gateway -- is required, unless the service in question supports VPC Endpoints (which SES currently does not).
Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway.
The NAT Gateway is the newer alternative to the NAT Instance, which is an EC2 instance dedicated to the same purpose. This was formerly the only way to privide the required NAT service. Unlike a NAT Gateway, which is managed by AWS and is fault-tolerant, a NAT Instance represents a potential single point of failure (but has a lower associated cost).
Or, you can move the Lambda function out of the VPC if it requires no other VPC resources.
The Network ACL both allowing all and denying all is normal, because rules are processed in order. That last rule is the default behavior that would apply if the Allow rule is removed. It's mostly a visual cue to remind you why the NACL doesn't work if you delete the other rules. Users might otherwise assume that since they didn't explicitly deny something, that it should be allowed.
Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Ok, I created an NAT Gateway. I'm not quite seeing how I get my lambda function to use this to connect to the outside internet. It looks like this is done through some sort of routing table route propagation (through an "internet gateway") based on subnet addressing? I suppose it's not as simple as attaching the subnet to the VPC and then attaching the NAT gateway to the subnet (do I need all of these subnets?) I'm feeling a little bit like the meme of the dog with the test tubes.
– iRyanBell
Feb 24 at 1:16
Create the NAT Gateway on one of the existing subnets. It needs to be located on a subnet with the default route pointing to the Internet Gateway so it can access the Internet. Then, create a new route table, with the default route pointing to the NAT Gateway. Then, create two new subnets, in two availability zones, using this new route table for those subnets. Attach the Lambda function to the new subnets.
– Michael - sqlbot
Feb 24 at 1:40
Hmm, now I getTask timed out after 6.01 seconds
when my lambda tries to connect to Elasticache. The lambda, database, ACL, and NAT Gateway are all on the same subnet, and the route table has the internet gateway attached. Why would I need to create new subnets... and why different availability zones than my servers? (and what would I use for "IPv4 CIDR block") ?
– iRyanBell
Feb 24 at 1:54
You need different subnets because, as I mentioned above, you have to "Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway." A NAT Gateway can't be on a the same subnet it serves. If all your resources are in a single AZ, you can just use one new subnet in that AZ. Based on your current subnets, it looks like you could use CIDR block 172.31.x.0/20 where x is 96, 112, 128, 144, any number up to 240 as long as it is divisible by 16.
– Michael - sqlbot
Feb 24 at 2:10
1
Associate the new route table with the new subnets -- not the subnet the NAT Gateway is on. The new route table is tied to the NAT Gateway because its 0.0.0.0 route needs to specify the NAT Gateway as its target. Also note that 172.32.x.x and 172.33.x.x are not valid CIDR choices. They are allowed because the system doesn't enforce RFC-1918 compliance, but those are definitely not valid choices, here. If the IP address starts with 172, the second number must be between 16 and 31. See my suggested blocks, in the previous comment.
– Michael - sqlbot
Feb 24 at 2:36
|
show 2 more comments
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f955461%2fconnecting-to-smtp-server-from-aws-lambda%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is expected.
Lambda functions in a VPC can't communicate with the Internet (including the standard service APIs) using an Internet Gateway, because an Internet Gateway requires the internal devices to have associated public IP addresses. Being on a public subnet (where the default route is the Internet Gateway) isn't sufficient.
Important
If your Lambda function needs Internet access, do not attach it to a public subnet or to a private subnet without Internet access. Instead, attach it only to private subnets with Internet access through a NAT instance or an Amazon VPC NAT gateway.
https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
A NAT device -- typically a NAT Gateway -- is required, unless the service in question supports VPC Endpoints (which SES currently does not).
Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway.
The NAT Gateway is the newer alternative to the NAT Instance, which is an EC2 instance dedicated to the same purpose. This was formerly the only way to privide the required NAT service. Unlike a NAT Gateway, which is managed by AWS and is fault-tolerant, a NAT Instance represents a potential single point of failure (but has a lower associated cost).
Or, you can move the Lambda function out of the VPC if it requires no other VPC resources.
The Network ACL both allowing all and denying all is normal, because rules are processed in order. That last rule is the default behavior that would apply if the Allow rule is removed. It's mostly a visual cue to remind you why the NACL doesn't work if you delete the other rules. Users might otherwise assume that since they didn't explicitly deny something, that it should be allowed.
Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Ok, I created an NAT Gateway. I'm not quite seeing how I get my lambda function to use this to connect to the outside internet. It looks like this is done through some sort of routing table route propagation (through an "internet gateway") based on subnet addressing? I suppose it's not as simple as attaching the subnet to the VPC and then attaching the NAT gateway to the subnet (do I need all of these subnets?) I'm feeling a little bit like the meme of the dog with the test tubes.
– iRyanBell
Feb 24 at 1:16
Create the NAT Gateway on one of the existing subnets. It needs to be located on a subnet with the default route pointing to the Internet Gateway so it can access the Internet. Then, create a new route table, with the default route pointing to the NAT Gateway. Then, create two new subnets, in two availability zones, using this new route table for those subnets. Attach the Lambda function to the new subnets.
– Michael - sqlbot
Feb 24 at 1:40
Hmm, now I getTask timed out after 6.01 seconds
when my lambda tries to connect to Elasticache. The lambda, database, ACL, and NAT Gateway are all on the same subnet, and the route table has the internet gateway attached. Why would I need to create new subnets... and why different availability zones than my servers? (and what would I use for "IPv4 CIDR block") ?
– iRyanBell
Feb 24 at 1:54
You need different subnets because, as I mentioned above, you have to "Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway." A NAT Gateway can't be on a the same subnet it serves. If all your resources are in a single AZ, you can just use one new subnet in that AZ. Based on your current subnets, it looks like you could use CIDR block 172.31.x.0/20 where x is 96, 112, 128, 144, any number up to 240 as long as it is divisible by 16.
– Michael - sqlbot
Feb 24 at 2:10
1
Associate the new route table with the new subnets -- not the subnet the NAT Gateway is on. The new route table is tied to the NAT Gateway because its 0.0.0.0 route needs to specify the NAT Gateway as its target. Also note that 172.32.x.x and 172.33.x.x are not valid CIDR choices. They are allowed because the system doesn't enforce RFC-1918 compliance, but those are definitely not valid choices, here. If the IP address starts with 172, the second number must be between 16 and 31. See my suggested blocks, in the previous comment.
– Michael - sqlbot
Feb 24 at 2:36
|
show 2 more comments
This is expected.
Lambda functions in a VPC can't communicate with the Internet (including the standard service APIs) using an Internet Gateway, because an Internet Gateway requires the internal devices to have associated public IP addresses. Being on a public subnet (where the default route is the Internet Gateway) isn't sufficient.
Important
If your Lambda function needs Internet access, do not attach it to a public subnet or to a private subnet without Internet access. Instead, attach it only to private subnets with Internet access through a NAT instance or an Amazon VPC NAT gateway.
https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
A NAT device -- typically a NAT Gateway -- is required, unless the service in question supports VPC Endpoints (which SES currently does not).
Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway.
The NAT Gateway is the newer alternative to the NAT Instance, which is an EC2 instance dedicated to the same purpose. This was formerly the only way to privide the required NAT service. Unlike a NAT Gateway, which is managed by AWS and is fault-tolerant, a NAT Instance represents a potential single point of failure (but has a lower associated cost).
Or, you can move the Lambda function out of the VPC if it requires no other VPC resources.
The Network ACL both allowing all and denying all is normal, because rules are processed in order. That last rule is the default behavior that would apply if the Allow rule is removed. It's mostly a visual cue to remind you why the NACL doesn't work if you delete the other rules. Users might otherwise assume that since they didn't explicitly deny something, that it should be allowed.
Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Ok, I created an NAT Gateway. I'm not quite seeing how I get my lambda function to use this to connect to the outside internet. It looks like this is done through some sort of routing table route propagation (through an "internet gateway") based on subnet addressing? I suppose it's not as simple as attaching the subnet to the VPC and then attaching the NAT gateway to the subnet (do I need all of these subnets?) I'm feeling a little bit like the meme of the dog with the test tubes.
– iRyanBell
Feb 24 at 1:16
Create the NAT Gateway on one of the existing subnets. It needs to be located on a subnet with the default route pointing to the Internet Gateway so it can access the Internet. Then, create a new route table, with the default route pointing to the NAT Gateway. Then, create two new subnets, in two availability zones, using this new route table for those subnets. Attach the Lambda function to the new subnets.
– Michael - sqlbot
Feb 24 at 1:40
Hmm, now I getTask timed out after 6.01 seconds
when my lambda tries to connect to Elasticache. The lambda, database, ACL, and NAT Gateway are all on the same subnet, and the route table has the internet gateway attached. Why would I need to create new subnets... and why different availability zones than my servers? (and what would I use for "IPv4 CIDR block") ?
– iRyanBell
Feb 24 at 1:54
You need different subnets because, as I mentioned above, you have to "Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway." A NAT Gateway can't be on a the same subnet it serves. If all your resources are in a single AZ, you can just use one new subnet in that AZ. Based on your current subnets, it looks like you could use CIDR block 172.31.x.0/20 where x is 96, 112, 128, 144, any number up to 240 as long as it is divisible by 16.
– Michael - sqlbot
Feb 24 at 2:10
1
Associate the new route table with the new subnets -- not the subnet the NAT Gateway is on. The new route table is tied to the NAT Gateway because its 0.0.0.0 route needs to specify the NAT Gateway as its target. Also note that 172.32.x.x and 172.33.x.x are not valid CIDR choices. They are allowed because the system doesn't enforce RFC-1918 compliance, but those are definitely not valid choices, here. If the IP address starts with 172, the second number must be between 16 and 31. See my suggested blocks, in the previous comment.
– Michael - sqlbot
Feb 24 at 2:36
|
show 2 more comments
This is expected.
Lambda functions in a VPC can't communicate with the Internet (including the standard service APIs) using an Internet Gateway, because an Internet Gateway requires the internal devices to have associated public IP addresses. Being on a public subnet (where the default route is the Internet Gateway) isn't sufficient.
Important
If your Lambda function needs Internet access, do not attach it to a public subnet or to a private subnet without Internet access. Instead, attach it only to private subnets with Internet access through a NAT instance or an Amazon VPC NAT gateway.
https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
A NAT device -- typically a NAT Gateway -- is required, unless the service in question supports VPC Endpoints (which SES currently does not).
Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway.
The NAT Gateway is the newer alternative to the NAT Instance, which is an EC2 instance dedicated to the same purpose. This was formerly the only way to privide the required NAT service. Unlike a NAT Gateway, which is managed by AWS and is fault-tolerant, a NAT Instance represents a potential single point of failure (but has a lower associated cost).
Or, you can move the Lambda function out of the VPC if it requires no other VPC resources.
The Network ACL both allowing all and denying all is normal, because rules are processed in order. That last rule is the default behavior that would apply if the Allow rule is removed. It's mostly a visual cue to remind you why the NACL doesn't work if you delete the other rules. Users might otherwise assume that since they didn't explicitly deny something, that it should be allowed.
Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
This is expected.
Lambda functions in a VPC can't communicate with the Internet (including the standard service APIs) using an Internet Gateway, because an Internet Gateway requires the internal devices to have associated public IP addresses. Being on a public subnet (where the default route is the Internet Gateway) isn't sufficient.
Important
If your Lambda function needs Internet access, do not attach it to a public subnet or to a private subnet without Internet access. Instead, attach it only to private subnets with Internet access through a NAT instance or an Amazon VPC NAT gateway.
https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
A NAT device -- typically a NAT Gateway -- is required, unless the service in question supports VPC Endpoints (which SES currently does not).
Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway.
The NAT Gateway is the newer alternative to the NAT Instance, which is an EC2 instance dedicated to the same purpose. This was formerly the only way to privide the required NAT service. Unlike a NAT Gateway, which is managed by AWS and is fault-tolerant, a NAT Instance represents a potential single point of failure (but has a lower associated cost).
Or, you can move the Lambda function out of the VPC if it requires no other VPC resources.
The Network ACL both allowing all and denying all is normal, because rules are processed in order. That last rule is the default behavior that would apply if the Allow rule is removed. It's mostly a visual cue to remind you why the NACL doesn't work if you delete the other rules. Users might otherwise assume that since they didn't explicitly deny something, that it should be allowed.
Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
edited Feb 24 at 2:12
answered Feb 24 at 0:02
Michael - sqlbotMichael - sqlbot
15.8k3360
15.8k3360
Ok, I created an NAT Gateway. I'm not quite seeing how I get my lambda function to use this to connect to the outside internet. It looks like this is done through some sort of routing table route propagation (through an "internet gateway") based on subnet addressing? I suppose it's not as simple as attaching the subnet to the VPC and then attaching the NAT gateway to the subnet (do I need all of these subnets?) I'm feeling a little bit like the meme of the dog with the test tubes.
– iRyanBell
Feb 24 at 1:16
Create the NAT Gateway on one of the existing subnets. It needs to be located on a subnet with the default route pointing to the Internet Gateway so it can access the Internet. Then, create a new route table, with the default route pointing to the NAT Gateway. Then, create two new subnets, in two availability zones, using this new route table for those subnets. Attach the Lambda function to the new subnets.
– Michael - sqlbot
Feb 24 at 1:40
Hmm, now I getTask timed out after 6.01 seconds
when my lambda tries to connect to Elasticache. The lambda, database, ACL, and NAT Gateway are all on the same subnet, and the route table has the internet gateway attached. Why would I need to create new subnets... and why different availability zones than my servers? (and what would I use for "IPv4 CIDR block") ?
– iRyanBell
Feb 24 at 1:54
You need different subnets because, as I mentioned above, you have to "Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway." A NAT Gateway can't be on a the same subnet it serves. If all your resources are in a single AZ, you can just use one new subnet in that AZ. Based on your current subnets, it looks like you could use CIDR block 172.31.x.0/20 where x is 96, 112, 128, 144, any number up to 240 as long as it is divisible by 16.
– Michael - sqlbot
Feb 24 at 2:10
1
Associate the new route table with the new subnets -- not the subnet the NAT Gateway is on. The new route table is tied to the NAT Gateway because its 0.0.0.0 route needs to specify the NAT Gateway as its target. Also note that 172.32.x.x and 172.33.x.x are not valid CIDR choices. They are allowed because the system doesn't enforce RFC-1918 compliance, but those are definitely not valid choices, here. If the IP address starts with 172, the second number must be between 16 and 31. See my suggested blocks, in the previous comment.
– Michael - sqlbot
Feb 24 at 2:36
|
show 2 more comments
Ok, I created an NAT Gateway. I'm not quite seeing how I get my lambda function to use this to connect to the outside internet. It looks like this is done through some sort of routing table route propagation (through an "internet gateway") based on subnet addressing? I suppose it's not as simple as attaching the subnet to the VPC and then attaching the NAT gateway to the subnet (do I need all of these subnets?) I'm feeling a little bit like the meme of the dog with the test tubes.
– iRyanBell
Feb 24 at 1:16
Create the NAT Gateway on one of the existing subnets. It needs to be located on a subnet with the default route pointing to the Internet Gateway so it can access the Internet. Then, create a new route table, with the default route pointing to the NAT Gateway. Then, create two new subnets, in two availability zones, using this new route table for those subnets. Attach the Lambda function to the new subnets.
– Michael - sqlbot
Feb 24 at 1:40
Hmm, now I getTask timed out after 6.01 seconds
when my lambda tries to connect to Elasticache. The lambda, database, ACL, and NAT Gateway are all on the same subnet, and the route table has the internet gateway attached. Why would I need to create new subnets... and why different availability zones than my servers? (and what would I use for "IPv4 CIDR block") ?
– iRyanBell
Feb 24 at 1:54
You need different subnets because, as I mentioned above, you have to "Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway." A NAT Gateway can't be on a the same subnet it serves. If all your resources are in a single AZ, you can just use one new subnet in that AZ. Based on your current subnets, it looks like you could use CIDR block 172.31.x.0/20 where x is 96, 112, 128, 144, any number up to 240 as long as it is divisible by 16.
– Michael - sqlbot
Feb 24 at 2:10
1
Associate the new route table with the new subnets -- not the subnet the NAT Gateway is on. The new route table is tied to the NAT Gateway because its 0.0.0.0 route needs to specify the NAT Gateway as its target. Also note that 172.32.x.x and 172.33.x.x are not valid CIDR choices. They are allowed because the system doesn't enforce RFC-1918 compliance, but those are definitely not valid choices, here. If the IP address starts with 172, the second number must be between 16 and 31. See my suggested blocks, in the previous comment.
– Michael - sqlbot
Feb 24 at 2:36
Ok, I created an NAT Gateway. I'm not quite seeing how I get my lambda function to use this to connect to the outside internet. It looks like this is done through some sort of routing table route propagation (through an "internet gateway") based on subnet addressing? I suppose it's not as simple as attaching the subnet to the VPC and then attaching the NAT gateway to the subnet (do I need all of these subnets?) I'm feeling a little bit like the meme of the dog with the test tubes.
– iRyanBell
Feb 24 at 1:16
Ok, I created an NAT Gateway. I'm not quite seeing how I get my lambda function to use this to connect to the outside internet. It looks like this is done through some sort of routing table route propagation (through an "internet gateway") based on subnet addressing? I suppose it's not as simple as attaching the subnet to the VPC and then attaching the NAT gateway to the subnet (do I need all of these subnets?) I'm feeling a little bit like the meme of the dog with the test tubes.
– iRyanBell
Feb 24 at 1:16
Create the NAT Gateway on one of the existing subnets. It needs to be located on a subnet with the default route pointing to the Internet Gateway so it can access the Internet. Then, create a new route table, with the default route pointing to the NAT Gateway. Then, create two new subnets, in two availability zones, using this new route table for those subnets. Attach the Lambda function to the new subnets.
– Michael - sqlbot
Feb 24 at 1:40
Create the NAT Gateway on one of the existing subnets. It needs to be located on a subnet with the default route pointing to the Internet Gateway so it can access the Internet. Then, create a new route table, with the default route pointing to the NAT Gateway. Then, create two new subnets, in two availability zones, using this new route table for those subnets. Attach the Lambda function to the new subnets.
– Michael - sqlbot
Feb 24 at 1:40
Hmm, now I get
Task timed out after 6.01 seconds
when my lambda tries to connect to Elasticache. The lambda, database, ACL, and NAT Gateway are all on the same subnet, and the route table has the internet gateway attached. Why would I need to create new subnets... and why different availability zones than my servers? (and what would I use for "IPv4 CIDR block") ?– iRyanBell
Feb 24 at 1:54
Hmm, now I get
Task timed out after 6.01 seconds
when my lambda tries to connect to Elasticache. The lambda, database, ACL, and NAT Gateway are all on the same subnet, and the route table has the internet gateway attached. Why would I need to create new subnets... and why different availability zones than my servers? (and what would I use for "IPv4 CIDR block") ?– iRyanBell
Feb 24 at 1:54
You need different subnets because, as I mentioned above, you have to "Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway." A NAT Gateway can't be on a the same subnet it serves. If all your resources are in a single AZ, you can just use one new subnet in that AZ. Based on your current subnets, it looks like you could use CIDR block 172.31.x.0/20 where x is 96, 112, 128, 144, any number up to 240 as long as it is divisible by 16.
– Michael - sqlbot
Feb 24 at 2:10
You need different subnets because, as I mentioned above, you have to "Place the NAT Gateway on a public subnet (so that it can access the Internet using the Internet Gateway) and then create one or more private subnets, pointing their default route to the NAT Gateway." A NAT Gateway can't be on a the same subnet it serves. If all your resources are in a single AZ, you can just use one new subnet in that AZ. Based on your current subnets, it looks like you could use CIDR block 172.31.x.0/20 where x is 96, 112, 128, 144, any number up to 240 as long as it is divisible by 16.
– Michael - sqlbot
Feb 24 at 2:10
1
1
Associate the new route table with the new subnets -- not the subnet the NAT Gateway is on. The new route table is tied to the NAT Gateway because its 0.0.0.0 route needs to specify the NAT Gateway as its target. Also note that 172.32.x.x and 172.33.x.x are not valid CIDR choices. They are allowed because the system doesn't enforce RFC-1918 compliance, but those are definitely not valid choices, here. If the IP address starts with 172, the second number must be between 16 and 31. See my suggested blocks, in the previous comment.
– Michael - sqlbot
Feb 24 at 2:36
Associate the new route table with the new subnets -- not the subnet the NAT Gateway is on. The new route table is tied to the NAT Gateway because its 0.0.0.0 route needs to specify the NAT Gateway as its target. Also note that 172.32.x.x and 172.33.x.x are not valid CIDR choices. They are allowed because the system doesn't enforce RFC-1918 compliance, but those are definitely not valid choices, here. If the IP address starts with 172, the second number must be between 16 and 31. See my suggested blocks, in the previous comment.
– Michael - sqlbot
Feb 24 at 2:36
|
show 2 more comments
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f955461%2fconnecting-to-smtp-server-from-aws-lambda%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown