21

I have a lambda function that accesses my Postgres db in RDS via VPC. After it queries the db, I want to post a notification to SNS. Because my lambda function exists in my VPC, it cannot access SNS. I have an internet gateway on my VPC. I read through the VPC endpoint documentation and currently only s3 is supported.

Is there anyway to publish to SNS in a lambda function in a VPC?

Khalid T.
  • 8,045
  • 4
  • 33
  • 46
lawrence
  • 323
  • 2
  • 8

4 Answers4

18

UPDATE

As of April 2018, SNS supports VPC Endpoints via AWS PrivateLink. So, there will be no need to set up an Internet Gateway or a NAT instance in order for a Lambda function inside your VPC to publish SNS notifications.

See this blog post for more details.

Khalid T.
  • 8,045
  • 4
  • 33
  • 46
10

You will need a NAT server running in your VPC to route traffic outside of the VPC. AWS now offers a managed NAT service that makes this easier.

garnaat
  • 37,899
  • 7
  • 109
  • 98
  • 1
    Couldn't my scenario be achieved just by having an internet gateway on my VPC? I've been reading the docs on NAT and it seems to just add security measures on inbound access. – lawrence Mar 14 '16 at 22:43
  • No, you will need a NAT to forward the traffic. See the FAQs doc (https://aws.amazon.com/lambda/faqs/). – garnaat Mar 14 '16 at 23:26
  • I see. In my case, I think setting up an NAT is a bit unnecessary, so I ended up changing my use case to log my postgres data into an txt file and upload it to s3 (via VPC endpoints), then use the s3 put event to trigger my other aws services. Thanks for your input. – lawrence Mar 14 '16 at 23:39
  • 3
    Hopefully VPC endpoints for more services will be available soon. It would make this much easier to solve. – garnaat Mar 14 '16 at 23:41
  • May be it will be helpful to someone. In my case, there were couple of subnets set up in my VPC. The one I had configured my Lambda with, had route table with all the IP destination (except for IPs of the subnet) to Internet Gateway but unfortunately while I was making call to SNS from Lambda, it was resolving to AWS's private IP, I suspect. So it did not have valid route and was timing out. I then changed the subnet with route table with internal routing, then it worked like charm. – codarrior Oct 20 '16 at 03:37
  • Hi @mirazalmamun, can you please elaborate a little bit more? I have lambdas in VPC and I cannot call SNS. Thanks for (maybe more than) hint in advance. – DavidC Jul 30 '17 at 12:55
  • Maybe I'm just too new to all these AWS, but any way to flesh this answer out a bit more? Do I need to attach a policy/security group to the Lambda to let it interact with the NAT? to the SNS to let it listen through the NAT? Am I even making sense? – dwanderson Dec 06 '17 at 20:23
  • @garnaat SNS now supports VPC endpoints -> https://aws.amazon.com/blogs/security/securing-messages-published-to-amazon-sns-with-aws-privatelink/. – Khalid T. Apr 14 '18 at 22:50
4

I finally managed to get it working...

The trick is that you MUST have 2 subnets.

A public one, with a routing table that sends traffic to the Internet Gateway of your VPC. Put the NAT in there.

And a private one, with a routing table that sends traffic to the NAT. Put the Lambdas in there. (BTW Making a public subnet means setting the Auto-assign Public IP option to Yes.)

It is outlined in this overview diagram from the AWS docs:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html#Configuration-2

Ldom
  • 51
  • 4
4

I know this is old, but here's another option that works, for those who don't want to configure a NAT. Instead of trying to have a lambda function inside the VPC that interacts with SNS, split into 2 lambda functions, as follows.

Function 1 sits inside the VPC and interacts with the database, returning the result of your database interaction (eg, a list of IDs matching some criteria).

Function 2 sits outside the VPC, invokes Function 1, then processes the array of values and publishes the appropriate SNS notifications (eg, sends a message based on each ID in the list).

Would be nice if there was a VPC endpoint for SNS, but still in late 2016 this does not seem to be the case.

abbm
  • 234
  • 2
  • 11
  • 1
    My understanding is that `Function 1`, by virtue of being inside of the VPC, would lose internet access. Thus, how would `Function 2` invoke `Function 1`? – codeperson Feb 18 '17 at 19:22
  • 2
    `Function 2` can invoke `Function 1`, as long as `Function 2`'s execution policy includes permissions to invoke `Function 1`. As far as I understand it, `Function 2` loses internet access in the sense that it can't dial out, it can only access other things inside the VPC. (It can still be accessed by external lambda functions with appropriate permissions.) – abbm Feb 19 '17 at 22:27
  • I agree that SNS needs VPC support – Tom Mar 18 '17 at 17:09
  • As far as I know this is a better solution than configure NAT. NAT are $35/month, which is way too expensive for an indie dev. – Karthik Mar 29 '18 at 13:56