MemberSeptember 27, 2020 at 9:21 am
In the practice mode 1, the question from LAMBDA , I am getting bit difficult to understand from the explanation, help requested. details given below
The Question is
A serverless application is using a Lambda function which fetches data from a public REST API as part of its processing. There is a new requirement to configure the function to store the results to a database hosted in a virtual private cloud (VPC) in your account. You have provided the additional VPC-specific configuration information which includes the subnet IDs and security group IDs. However, your function had stopped working and could not complete the processing after your change.
Which of the following should you do to fix this issue? (Choose 2)
When reading the explanation notes, it is getting confused. At one time the notes says
See in the given notes, it is given as
“Therefore, if your Lambda function requires Internet access (for example, to access AWS services that don’t have VPC endpoints ), you can configure a NAT instance inside your VPC or you can use the
Amazon VPC NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. ??️You cannot use an Internet gateway attached to your VPC,??️ since that requires the ENI to have public IP addresses.”
In the above section it is saying you cannot use an Internet gateway attached to your VPC, then in next paragraph it is mentioned you can solve it by “Adding NAT gateway to your VPC” as given below
⏹️ If your Lambda function needs Internet access, do not attach it to a public subnet or to a private subnet without Internet access. Instead, attach it only to private subnets with Internet access through a NAT instance or an Amazon VPC NAT gateway. You should also ensure that the associated security group of the Lambda function allows outbound connections. Hence, the correct answers in this scenario are ensuring that the associated security group of the Lambda function allows outbound connections and adding a NAT gateway to your VPC. ⏹️
MemberSeptember 28, 2020 at 11:18 pm
Thanks for the feedback.
From what I understand about your question, you are having confusion on the statement “cannot use an Internet gateway attached to your VPC” and “Adding NAT gateway to your VPC”. I’ll do my best to explain it here.
Short explanation: In AWS terminology, a NAT gateway is different from an Internet Gateway. Each with their own use case. Internet Gateway is used on a public Subnet to provide internet access. NAT gateway is used to provide internet access to private subnets.
See this link for an explanation for what an Internet Gateway is: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
See this link for an explanation for what a NAT Gateway is: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
We have 2 modes of operation for a Lambda function – inside a VPC and outside a VPC. Based on the question, we can infer that the Lambda function is currently running outside the VPC. With this, AWS takes care of the networking for the Lambda function that’s why it can “fetch data from a public REST API” which is on the public internet.
Now there is a requirement for the Lambda function to access the database inside the VPC. This is not possible if the Lambda function is running outside the VPC. So based on the scenario, you have modified the Lambda configuration to operate inside the VPC subnets. This step is correct, however, the function stopped working and can no longer fetch data from a public REST API. This means that the Lambda function can no longer access the public internet. So you have to fix this problem, so we come to the answers and explanation.
On your VPC, you should attach an Internet Gateway so that your resources can route your traffic to the public internet. On this VPC, you have a public subnet and a private subnet. A public subnet has a direct route to the Internet Gateway so you access the public internet directly. However, you will need to have a public IP address for this to work. Attaching a public IP address to your Lambda function is not possible so this approach will not work. Therefore, if you put your Lambda function on the public subnet, it will stop working because it can’t connect to the Internet to fetch the public REST API. On the other hand, a private subnet has NO DIRECT route to the Internet Gateway. This also means that by default, you won’t have access to the internet if you put your Lambda function here. However, you can create and associate a NAT Gateway, which can be used by your Lambda function in the private subnet to allow access to the Internet. With the NAT Gateway, you don’t need to have an attached Public IP to access the internet. Thus, putting your Lambda function on the private subnet with an associated NAT Gateway, the Lambda function can successfully run and “fetch data from a public REST API”
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Kenneth Samonte @ Tutorials Dojo
Log in to reply.