AWS Lambda函数未加入VPC
我正在尝试连接到我的AWS Aurora数据库.遵循文档指南3次以上,我在mysql connetiontion上收到相同的超时错误.深入研究之后,看来我的lambda函数根本就没有加入VPC.
I am trying to connect to my AWS Aurora DB. Following the documentation guide 3 times over I recieved the same timeout error on the mysql connetiontion. After digging in, it seems that my lambda function is simply not joining the VPC.
我将列出一些输出(删除了不必要的行)以显示我是如何得出这个结论的.
I will list some outputs (with unnecessary lines removed) to show how I came to this conclusion.
如果任何人都可以指出我的配置哪里出了问题.请告诉我.在任何人提到它之前,是的,我已经检查了db程序变量很多次.这一定是配置问题.
If anyone can point out where I went wrong in my configuration. Please let me know. Before anyone mentions it, yes, I have checked the db program variables many times; it has to be a configuration issue.
角色:
$ aws lambda get-function-configuration --function-name "test" --output json
{
"FunctionName": "test",
"VpcConfig": {
"SubnetIds": [
"subnet-560b810e",
...
],
"VpcId": "vpc-c3e2f3a7",
"SecurityGroupIds": [
"sg-e029969a"
]
},
"Role": "arn:aws:iam::141066641105:role/test"
}
附加的策略列表:
$ aws iam list-attached-role-policies --role-name test --output json
{
"AttachedPolicies": [
{
"PolicyName": "AWSLambdaVPCAccessExecutionRole",
"PolicyArn": "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
]
}
VPC:
$ aws ec2 describe-vpcs --vpc-ids "vpc-c3e2f3a7" --output json
{
"Vpcs": [
{
"VpcId": "vpc-c3e2f3a7",
"State": "available",
"CidrBlock": "172.31.0.0/16",
}
]
}
安全组:
$ aws ec2 describe-security-groups --group-ids "sg-e029969a" --output json
{
"SecurityGroups": [
{
"IpPermissionsEgress": [],
"IpPermissions": [
{
"PrefixListIds": [],
"FromPort": 0,
"IpRanges": [],
"ToPort": 65535,
"IpProtocol": "tcp",
"UserIdGroupPairs": [
{
"UserId": "141066641105",
"GroupId": "sg-e029969a"
}
]
},
],
"GroupName": "db-access",
"VpcId": "vpc-c3e2f3a7",
"OwnerId": "141066641105",
"GroupId": "sg-e029969a"
}
]
}
IP地址python代码:
IP Address python code:
import socket
response = socket.gethostbyname('test.db')
logger.log("test.db IP: " + response)
import subprocess
command = "/sbin/ip addr show"
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=None, shell=True)
response = process.communicate()
logger.error("IP command: " + response[0])
IP地址输出:
test.db IP: 172.31.29.170
IP command: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
57: vinternal_19@if58: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8a:ae:cc:86:d7:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet 169.254.76.37/23 scope global vinternal_19
valid_lft forever preferred_lft forever
60: vtarget_10@if59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 72:6b:24:a0:47:d4 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 169.254.79.1/32 scope global vtarget_10
valid_lft forever preferred_lft forever
如您所见,由于某种原因,我得到的是169.254.x.x地址而不是VPC的172.31.x.x.还需要注意的是,数据库是同一VPC中同一安全组的一部分.
As you can see, for some reason I am getting 169.254.x.x address instead of the VPC's 172.31.x.x. Also to note is that the DB is apart of the same security group in the same VPC.
您的安全组显示为空IpPermissionsEgress.
{
"SecurityGroups": [
{
"IpPermissionsEgress": [],
...
如果我正确阅读,则表示所有出站流量都被阻止.
If I'm reading it correctly, that means all outbound traffic is blocked.
传统上,对所有流量都开放出口规则,前提是您可以信任Amazon EC2实例上正在运行的内容.因此,您可以将其打开以访问所有流量,或者至少打开您希望通信的系统.
Egress rules are traditionally opened to all traffic, on the assumption that you can trust what is running on your Amazon EC2 instance. So, you could either open it to all traffic, or at least to the systems you wish to communicate.