admin管理员组文章数量:1391929
I have an EC2 and lambda in the same VPC. The EC2 is running a web server, and I only want it accessible via my lambda (and ssh), so I set the EC2 security group to have inbound rule http-tcp-80-LambdaSecurityGroup (and ssh-tcp-22-MyHomeIP).
The LambdaSecurityGroup allows all outbound traffic (1 rule: AllTraffic-All-All-0.0.0.0/0). The lambda is in private subnets, and connects to the internet using a NAT gateway. Basically I setup lambda as described in Access Resources in a VPC from Your Lambda Functions, Giving Lambda functions access to resources in an Amazon VPC, and the first answer in Stack Overflow - AWS security group inbound rule.
When I (use AWS console's Test to) run my lambda, it does not connect to EC2 (times out after 10-11 seconds). But if I change the EC2 security group to allow inbound http-tcp-80-0.0.0.0/0 (Anywhere IPv4), then everything works as expected (EC2 web server receives lambda request and replies).
But of course I don't want to open up my EC2 web server to the entire public, so how can I get my EC2 to only allow the http (post) requests coming from my lambda?
Reasoning / Debugging:
- Since the lambda reaches EC2 successfully when the latter allows all inbound traffic, and since the lambda can access other online resources, then I don't think the issue can be my setup of the VPC, NAT gateway, etc.
- I double-checked lambda's Configuration > VPC and it shows it has the correct LambdaSecurityGroup. Is anything else required for EC2 to recognize these requests as coming from my lambda?
- I tried modifying the inbound rules for EC2 lambda to AllTraffic-All-All-LambdaSecurityGroup, and this still fails.
- I added a rule to LambdaSecurityGroup allowing all inbound traffic and, as expected, this still fails.
- Writing all this, I'm wondering if running in AWS console's test might change anything. I'll try running in production and update this line accordingly...
Additional Details:
- My EC2 is IPv4 only.
- Excerpt of relevant Lambda code:
const postRequestData = { key1: value1, key2: value2 };
return new Promise((resolve, reject) => {
fetch(':80', { // Note: uses EC2 public IPv4 address
method: 'post',
body: JSON.stringify(postRequestData),
headers: {'Content-Type': 'application/json'}
})
.then((response) => {
console.log("Response: ", response);
resolve(response);
})
.catch(err => {
console.log("ERROR: Could not fetch response: ", err);
reject("EC2 unavailable.");
});
});
I have an EC2 and lambda in the same VPC. The EC2 is running a web server, and I only want it accessible via my lambda (and ssh), so I set the EC2 security group to have inbound rule http-tcp-80-LambdaSecurityGroup (and ssh-tcp-22-MyHomeIP).
The LambdaSecurityGroup allows all outbound traffic (1 rule: AllTraffic-All-All-0.0.0.0/0). The lambda is in private subnets, and connects to the internet using a NAT gateway. Basically I setup lambda as described in Access Resources in a VPC from Your Lambda Functions, Giving Lambda functions access to resources in an Amazon VPC, and the first answer in Stack Overflow - AWS security group inbound rule.
When I (use AWS console's Test to) run my lambda, it does not connect to EC2 (times out after 10-11 seconds). But if I change the EC2 security group to allow inbound http-tcp-80-0.0.0.0/0 (Anywhere IPv4), then everything works as expected (EC2 web server receives lambda request and replies).
But of course I don't want to open up my EC2 web server to the entire public, so how can I get my EC2 to only allow the http (post) requests coming from my lambda?
Reasoning / Debugging:
- Since the lambda reaches EC2 successfully when the latter allows all inbound traffic, and since the lambda can access other online resources, then I don't think the issue can be my setup of the VPC, NAT gateway, etc.
- I double-checked lambda's Configuration > VPC and it shows it has the correct LambdaSecurityGroup. Is anything else required for EC2 to recognize these requests as coming from my lambda?
- I tried modifying the inbound rules for EC2 lambda to AllTraffic-All-All-LambdaSecurityGroup, and this still fails.
- I added a rule to LambdaSecurityGroup allowing all inbound traffic and, as expected, this still fails.
- Writing all this, I'm wondering if running in AWS console's test might change anything. I'll try running in production and update this line accordingly...
Additional Details:
- My EC2 is IPv4 only.
- Excerpt of relevant Lambda code:
const postRequestData = { key1: value1, key2: value2 };
return new Promise((resolve, reject) => {
fetch('http://1.2.3.4/post:80', { // Note: uses EC2 public IPv4 address
method: 'post',
body: JSON.stringify(postRequestData),
headers: {'Content-Type': 'application/json'}
})
.then((response) => {
console.log("Response: ", response);
resolve(response);
})
.catch(err => {
console.log("ERROR: Could not fetch response: ", err);
reject("EC2 unavailable.");
});
});
- 1 As mentioned below, you have to use the EC2 instance's private IP in the Lambda function to make this work the way you want. – Mark B Commented Mar 13 at 14:14
1 Answer
Reset to default 2The issue is actually with using the public EC2 IP, isn't it?
When you use the public IP, the Lambda function exits your VPC. So, within a VPC, it's generally more effective and secure to use the private IP for communication.
本文标签: nodejsSecurity group setup to restrict EC2 to VPC lambdaStack Overflow
版权声明:本文标题:node.js - Security group setup to restrict EC2 to VPC lambda - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744698830a2620443.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论