Python AWS Lambda功能未加入VPC
我正在尝试连接到我的AWS Aurora DB。遵循文档指南3次之后,我在mysql连接上收到了相同的超时错误。深入研究之后,我的lambda功能似乎根本没有加入VPC 我将列出一些输出(删除不必要的行),以说明我是如何得出这个结论的 如果有人能指出我的配置哪里出了问题。请让我知道。在任何人提到它之前,是的,我已经检查了很多次db程序变量;这必须是一个配置问题 角色: 随附保单清单:Python AWS Lambda功能未加入VPC,python,amazon-web-services,aws-lambda,Python,Amazon Web Services,Aws Lambda,我正在尝试连接到我的AWS Aurora DB。遵循文档指南3次之后,我在mysql连接上收到了相同的超时错误。深入研究之后,我的lambda功能似乎根本没有加入VPC 我将列出一些输出(删除不必要的行),以说明我是如何得出这个结论的 如果有人能指出我的配置哪里出了问题。请让我知道。在任何人提到它之前,是的,我已经检查了很多次db程序变量;这必须是一个配置问题 角色: 随附保单清单: $ aws iam list-attached-role-policies --role-name test -
$ aws iam list-attached-role-policies --role-name test --output json
{
"AttachedPolicies": [
{
"PolicyName": "AWSLambdaVPCAccessExecutionRole",
"PolicyArn": "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
]
}
专有网络:
安全组:
$ aws ec2 describe-security-groups --group-ids "sg-e029969a" --output json
{
"SecurityGroups": [
{
"IpPermissionsEgress": [],
"IpPermissions": [
{
"PrefixListIds": [],
"FromPort": 0,
"IpRanges": [],
"ToPort": 65535,
"IpProtocol": "tcp",
"UserIdGroupPairs": [
{
"UserId": "141066641105",
"GroupId": "sg-e029969a"
}
]
},
],
"GroupName": "db-access",
"VpcId": "vpc-c3e2f3a7",
"OwnerId": "141066641105",
"GroupId": "sg-e029969a"
}
]
}
IP地址python代码:
import socket
response = socket.gethostbyname('test.db')
logger.log("test.db IP: " + response)
import subprocess
command = "/sbin/ip addr show"
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=None, shell=True)
response = process.communicate()
logger.error("IP command: " + response[0])
IP地址输出:
test.db IP: 172.31.29.170
IP command: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
57: vinternal_19@if58: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8a:ae:cc:86:d7:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet 169.254.76.37/23 scope global vinternal_19
valid_lft forever preferred_lft forever
60: vtarget_10@if59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 72:6b:24:a0:47:d4 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 169.254.79.1/32 scope global vtarget_10
valid_lft forever preferred_lft forever
test.db IP:172.31.29.170
IP命令:1:lo:mtu 65536 qdisc noqueue状态未知组默认qlen 1
链接/环回00:00:00:00:00 brd 00:00:00:00:00:00:00
inet 127.0.0.1/8范围主机lo
永远有效\u lft首选\u lft永远有效
57:vinternal_19@if58:mtu 1500 qdisc noqueue state UP组默认qlen 1000
链路/以太8a:ae:cc:86:d7:e7 brd ff:ff:ff:ff:ff:ff:ff链路网络ID 2
inet 169.254.76.37/23范围全球葡萄酒19
永远有效\u lft首选\u lft永远有效
60:V目标_10@if59:mtu 1500 qdisc noqueue state UP组默认qlen 1000
链路/以太网72:6b:24:a0:47:d4 brd ff:ff:ff:ff:ff:ff:ff:ff链路网络ID 1
inet 169.254.79.1/32范围全局vtarget_10
永远有效\u lft首选\u lft永远有效
如你所见,出于某种原因,我得到的是
169.254.x.x
地址,而不是VPC的172.31.x.x
。还需要注意的是,数据库是同一VPC中同一安全组的一部分。您的安全组显示为空IpPermissionsEgress
{
"SecurityGroups": [
{
"IpPermissionsEgress": [],
...
如果我读对了,那就意味着所有出站流量都被阻塞了
传统上,出口规则对所有流量开放,前提是您可以信任AmazonEC2实例上运行的内容。因此,您可以向所有流量或至少向您希望通信的系统打开它。您的安全组显示为空
IpPermissionsEgress
。如果我读对了,那就意味着所有的出站流量都被阻塞了。顺便说一句,它对于调试Lambda环境很方便。同意@JohnRotenstein的观点,该函数不能在安全组之外通信,因为所有出口都被阻止,只允许进入。您可以添加0.0.0.0/0(默认值)的出口规则,或将其设置为Aurora数据库的安全组You is correct@John Rotenstein。这就是问题所在。谢谢
test.db IP: 172.31.29.170
IP command: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
57: vinternal_19@if58: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8a:ae:cc:86:d7:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet 169.254.76.37/23 scope global vinternal_19
valid_lft forever preferred_lft forever
60: vtarget_10@if59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 72:6b:24:a0:47:d4 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 169.254.79.1/32 scope global vtarget_10
valid_lft forever preferred_lft forever
{
"SecurityGroups": [
{
"IpPermissionsEgress": [],
...