Search code examples
python-3.xamazon-web-servicesaws-lambdaboto3

Lambda function timeout

I have the following Lambda function set in AWS which have to return the params of AWS Network Firewall:

import boto3
import json

session = boto3.session.Session()
nf_client = session.client(
    service_name = "network-firewall",
    endpoint_url= "https://network-firewall.eu-west-2.amazonaws.com"
    )
def lambda_handler(event, context):
    response = nf_client.describe_firewall(
        FirewallName="DemoFirewall2")
        
    return 1

What I have checked

  1. It timeouts no matter the timeout limit
  2. The alocated memory is enough
  3. Both endpoints of the lambda and the firewall can be reached from one another(even checked with Network Analyzer)
  4. Security groups are allowing all trafic in both directions.
  5. The lambda is associated to the VPC and with the sub-net of the firewall.
  6. CloudWatch is showing just timeout. I have no additionl configration, no environment variables or such just what is defined in the lambda.

I have two subnets and 4 routing tables:

  1. client subnet which has the following routing table and it is associated with the according subnet:
10.1.0.0/16 local
0.0.0.0/0   vpce-firewallEndpoint
  1. Firewall subnet associated with the accordig subnet:
10.1.0.0/16 local
0.0.0.0/0   igw-InternetGateway
  1. Gateway table with edge association to the gateway:
10.1.0.0/16 local   
10.1.2.0/24 vpce-firewallEndpoint
  1. the deafault main table:
10.1.0.0/16 local

The traffic from the client subnet is routed to the firewall subnet and then routed to the IGW.

Guess I am missing something with the session configarion because the lambda probably don't know which firewall to describe.

Solution

  • Lambda functions in a VPC never get assigned a public IP address, so they can't use an Internet Gateway directly. A Lambda function in a VPC has to be deployed in a private subnet, with a route to a NAT Gateway, in order to access things outside the VPC.

    If your Lambda function doesn't need to access any VPC resources then there is no benefit to deploying the function inside the VPC, it only causes issues such as the one you are encountering.