How do I give internet access to a Lambda function that's connected to Amazon VPC?

5 minute read

I want to grant internet access to my AWS Lambda function that has an Amazon Virtual Private Cloud (Amazon VPC) connection.

Short description

By default, Lambda functions run in a Lambda managed VPC that has internet access. Even when you associate a Lambda function with a public subnet, it can't connect to the internet because the function has a private IP address.

To give your Lambda function internet access to resources in a VPC in your AWS account, add a NAT gateway or NAT instance. The configuration restricts the function to resources within the VPC, unless the VPC has internet access.

Note: You can use interface VPC endpoints to connect to supported AWS services from within an Amazon VPC connection without internet access.

Resolution

Verify that the following resources allow outbound internet access to your Lambda function:

If any of the preceding resources don't grant internet access to your Lambda function, then reconfigure the resource to grant your function internet access. You can run the AWSSupport-TroubleshootLambdaInternetAccess, or you can manually grant access to the internet.

Use the AWSSupport-TroubleshootLambdaInternetAccess runbook

Prerequisite

Before you start the runbook, make sure that your AWS Identify and Access Management (IAM) user or role has the required permissions. For more information, see the Required IAM permissions section of AWSSupport-TroubleshootLambdaInternetAccess.

Complete the following steps:

Open the Systems Manager console.
In the navigation pane, expand Change Management Tools, and then choose Automation.
Choose Execute runbook.
Choose the Owned by Amazon tab, and then search for TroubleshootLambdaInternetAccess.
Choose the AWSSupport-TroubleshootLambdaInternetAccess card.
Note: Don't choose the name of the automation.
Choose Next.
Choose Execute.

Review the runbook's output to determine what caused your Lambda function to lose access to the internet and how to resolve the issue.

Manually grant internet access

Create a public subnet and private subnet in Amazon VPC

Create a private subnet for your Lambda function and a public subnet for your NAT gateway. For the Name tag field, enter a name for each subnet that identifies it as either public or private. For example, use Public subnet, Private Lambda 1, and Private Lambda 2.

Note: It's a best practice to create more than one private subnet across different Availability Zones. This action creates redundancy and allows Lambda to maintain high availability for your function.

Use an internet gateway to add internet access to the subnet

Create an internet gateway. Then, attach it to your VPC.

Create a NAT gateway

Create a NAT gateway. For Subnet, select the subnet that you want to make public. For example, choose Public subnet.

(Optional) Test your NAT gateway setup.

Create two custom route tables

Note: When a Lambda function in a VPC makes requests, the function randomly selects an associated subnet. If the function uses an incorrectly configured subnet, then you receive an error. To avoid this issue, make sure to use the same configuration for all subnets that your function uses.

To set up your custom route tables, complete the following steps:

Create a route table for the public subnet and one for the private subnet.
For the Name tag field, enter a name for each route table to help you identify the subnet that it's associated with. For example, use Public subnet and Private Lambda.
Associate the private and public subnets with the route tables.
Add a new route to the route tables, and include the following configurations:
For Destination, enter 0.0.0.0/0.
For Target, choose Internet gateway for the public subnet, and enter the internet gateway ID. Choose NAT gateway for the private subnet, and enter the NAT gateway ID.
Important: If you use a NAT instance instead of a NAT gateway, then choose Network interface instead of NAT gateway.
Choose Save routes.

Note: Make sure that the routes to your NAT gateway are in the Active state. If you delete the NAT gateway and you didn't update the routes, then the routes have a Blackhole status.

Review your network ACL configuration

The default network ACL in your VPC allows all inbound and outbound traffic. If you change the network ACL rules, then make sure that you allow outbound requests from your Lambda function. Also, make sure that your network ACL allows the following inbound traffic:

For a private subnet that uses a NAT gateway, allow inbound traffic on ephemeral ports 1024-65535.
For a private subnet that uses a NAT instance, allow inbound traffic on the ephemeral ports that your NAT instance operating system (OS) uses.

For more information, see Ensure internetwork traffic privacy in Amazon VPC.

Create a Lambda execution role

Create a Lambda execution role for your VPC. Then, update the Lambda function to use the new Lambda execution role.

Configure your Lambda function to connect to your VPC

Attach your function to your VPC. For Subnets, select your private subnet. For Security groups, select a security group.

Note: The default security group allows all outbound internet traffic and is sufficient for most use cases. For more information, see Control traffic to your AWS resources using security groups.

For Lambda functions with an Amazon VPC connection, you can use an egress-only internet gateway to access the internet. For more information, see IPv6 support.