Closed arthurl31 closed 5 months ago
- IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId: !Ref LambdaSecurityGroup # Allow traffic from Lambda function
Could you open up the security groups and see if that's the issue? Just allow ingress from all IPs in your VPC at the very least and see if that works?
Scanning your config, this should all be working and I'm not seeing any issues in the included logs. (Thanks for the detailed report btw!)
I've updated my CloudFormation template for the NAT security group, but I'm still facing issues:
NatSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for NAT
VpcId: !Ref MammycardVPC
SecurityGroupIngress:
- IpProtocol: "-1"
CidrIp: 0.0.0.0/0 # Allow all ingress traffic from all IP addresses
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
IpProtocol: "-1" # Allow all outbound traffic
When I connect to the NAT instance using SSH, the nat-fck.service fails to start. The configuration file /etc/fck-nat.conf contains a valid eni_id, as shown in previous screenshots.
However, attempting to start the service results in what seems to be an infinite loop. Below is a screenshot showing the never-ending loop from the last executed command (sudo systemctl start fck-nat.service):
PS: since the Security group is now public, I could send you the ssh key if you need to, no problem at all.
I'm not entirely sure what caused the issue, but it seems there was a bug when the instance initially started.
I've updated the NAT Instance template, rerun it (recreating the instance), and now it's functioning properly.
My Lambda function can now connect to the internet without any issues.
I've reverted my security group settings to only allow access for my Lambda function and my IP via SSH, and it's still working fine.
This is my EC2::Instance for my NAT Instance in case anyone needs:
FckNatInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t4g.nano
ImageId: ami-05b6d5a2e26f13c93
SubnetId: !Ref PublicSubnet
SecurityGroupIds:
- !Ref NatSecurityGroup
IamInstanceProfile: !Ref FckNatAsgInstanceProfile
KeyName: "key-dev"
UserData:
Fn::Base64: !Sub |
#!/bin/bash
echo "eni_id=${FckNatInterface}" >> /etc/fck-nat.conf
exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
echo "=== Instance Initialization Started ==="
sudo systemctl enable fck-nat.service
sudo systemctl restart fck-nat.service
sudo systemctl status fck-nat.service > /var/log/fck-nat-service-status.log
Thank you very much for this fantastic project and for your support.
Glad you got it working!
Without any specific error info I'm gonna close this one out, but I'll keep this on mind in case we get reports of similar behavior.
Troubleshooting Lambda Internet Access Using a NAT Instance
I'm having trouble getting my Lambda function to access the internet using a NAT Instance (
fck-nat
). To diagnose the issue, I decided to SSH into my instance.NAT Instance Status
On my instance, the status of
fck-nat
is as follows:My
fck-nat.conf
is:My Network Interface
My Route Table
When using
curl
orping
within the instance (connected via SSH), it works, but when requests are made using my Lambda function, it fails (timeout).Also, my Lambda is in a private subnet that uses the route table in the image above.
Config Used in Lambda Function
My fck-nat instance configuration:
Am I missing or misconfiguring something?