AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access

I found a good detailed tutorial on how to allow your lambda to connect to both VPC ressources and the internet here: https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7

A quick walk-through:

  • setup new subnets for your lambda (with CIDRs not overlapping your existing subnets). You need:
    • one subnet which will be pointing to an Internet Gateway (IGW) to be used by the NAT (let's call it A)
    • several pointing to the NAT to be used by your lambda (B, C and D)
  • add a NAT gateway: set the subnet to A
  • set your lambda VPC subnets to B, C and D
  • create 2 routes table:
    • one that points to your NAT with destination 0.0.0.0/0
    • one that points to your IGW (should already exists) with destination 0.0.0.0/0
  • update the subnet A to use the route table pointing to the IGW
  • update the subnets B, C and D to use the route table pointing to the NAT

Hope this helps.


You need both the IGW and the NAT gateway for this to work.

In the public subnets (ones you want to reach from outside) point the 0.0.0.0/0 traffic to the IGW gateway. The NAT gateway itself needs to sit in one of these public subnets.

In the private subnets that you want to NAT point 0.0.0.0/0 traffic to the NAT gateway elastic network interface.

If 0.0.0.0/0 is aleady bound to the gateway you need to remove that and add it pointing the NAT gateway.

See: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html


You need two different subnets. It sounds as if you only have one.

Lambda can only use private subnets inside VPC.

Definition of a private subnet: the default route is a NAT instance (which most be on a different, public subnet) or a NAT Gateway, and no machines in the subnet have a public IP address. Machines with public IP addresses are allowed on a private subnet, but for the most part, they will not work properly, because this is technically a misconfiguration.

Definition of a public subnet: the default route is the igw-xxxxxxxx Internet Gateway object, and machines have public IP addresses assigned. Machines without public IP addresses are allowed on a public subnet, but they will not be able to access the Internet, because this is a misconfiguration.

It sounds like you are trying to change your existing subnet from public to private by changing the default route. As expected, this breaks other things.

See also Why do we need private subnet in VPC?

Tags:

Amazon Web Services

Aws Lambda

Recent Posts