4

我正在尝试从 VPC 内部的 lambda 函数访问 VPC 外部的运动流。当前,当执行写入运动流的代码时,它将挂起然后超时。当我将 lambda 从 VPC 中取出时,写入流的代码可以正常工作。但我需要访问 VPC 中的资源,然后写入流。有人知道怎么修这个东西吗?

这是我在 VPC 中的功能

functions:
  handleChanges:
    handler: functions/handlers.handleChanges
    timeout: 10
    package:
      include:
        - functions/utils/**
    events:
      - http:
          method: POST
          path: "/"
          integration: lambda
    vpc:
      securityGroupIds:
        - ${file(./private.yml):variables.securityGroup}
      subnetIds:
        - ${file(./private.yml):variables.subnetID}

这是我的政策

iamRoleStatements:
  - Effect: "Allow"
    Action:
      - "kinesis:PutRecord"
      - "kinesis:GetRecords"
      - "kinesis:GetShardIterator"
      - "kinesis:DescribeStream"
      - "kinesis:ListStreams"
    Resource:
      Fn::GetAtt:
        - KinesisStream
        - Arn
  - Effect: "Allow"
    Action:
      - "cognito-idp:AdminGetUser"
    Resource: "*"
  - Effect: "Allow"
    Action:
      - "logs:CreateLogGroup"
      - "logs:CreateLogStream"
      - "logs:PutLogEvents"
      - "ec2:CreateNetworkInterface"
      - "ec2:DescribeNetworkInterfaces"
      - "ec2:DeleteNetworkInterface"
    Resource: "*"

最后这是我的运动流资源

KinesisStream:
  Type: AWS::Kinesis::Stream
  Properties:
    Name: ${self:provider.environment.STREAM_NAME}
    ShardCount: 1
4

2 回答 2

4

唯一的解决方案是将NAT 网关(或NAT 实例)添加到您的 VPC 中,以便您的私有子网中的 Lambda 函数等资源可以访问 VPC 之外的资源。

于 2017-02-24T21:46:38.377 回答
1

不需要 NAT,您也可以使用 VPC 端点: https : //docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html 这就是如何对 Kinesis 进行操作: https:// docs.aws.amazon.com/streams/latest/dev/vpc.html

为我工作:) 并且匹配更便宜。确保您设置了正确的安全组(私有 VPC 的 sg 而不是默认 VPC)

如果您将阅读 NAT 定价文档,他们也建议这样做: https ://aws.amazon.com/vpc/pricing/ 阅读末尾的注释:

Note: To avoid the NAT Gateway Data Processing charge in this example, you could setup a Gateway Type VPC endpoint and route the traffic to/from S3 through the VPC endpoint instead of going through the NAT Gateway. There is no data processing or hourly charges for using Gateway Type VPC endpoints. For details on how to use VPC endpoints, please visit VPC Endpoints Documentation.
于 2019-10-30T07:53:34.440 回答