Home › Forums › AWS › AWS Certified Solutions Architect Professional › LAMBDA question in practice mode 1, need help in the explanation › Reply To: LAMBDA question in practice mode 1, need help in the explanation
-
Hello Joseph,
Thanks for the feedback.
From what I understand about your question, you are having confusion on the statement “cannot use an Internet gateway attached to your VPC” and “Adding NAT gateway to your VPC”. I’ll do my best to explain it here.
Short explanation: In AWS terminology, a NAT gateway is different from an Internet Gateway. Each with their own use case. Internet Gateway is used on a public Subnet to provide internet access. NAT gateway is used to provide internet access to private subnets.
See this link for an explanation for what an Internet Gateway is: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
See this link for an explanation for what a NAT Gateway is: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
Long explanation:
We have 2 modes of operation for a Lambda function – inside a VPC and outside a VPC. Based on the question, we can infer that the Lambda function is currently running outside the VPC. With this, AWS takes care of the networking for the Lambda function that’s why it can “fetch data from a public REST API” which is on the public internet.
Now there is a requirement for the Lambda function to access the database inside the VPC. This is not possible if the Lambda function is running outside the VPC. So based on the scenario, you have modified the Lambda configuration to operate inside the VPC subnets. This step is correct, however, the function stopped working and can no longer fetch data from a public REST API. This means that the Lambda function can no longer access the public internet. So you have to fix this problem, so we come to the answers and explanation.
On your VPC, you should attach an Internet Gateway so that your resources can route your traffic to the public internet. On this VPC, you have a public subnet and a private subnet. A public subnet has a direct route to the Internet Gateway so you access the public internet directly. However, you will need to have a public IP address for this to work. Attaching a public IP address to your Lambda function is not possible so this approach will not work. Therefore, if you put your Lambda function on the public subnet, it will stop working because it can’t connect to the Internet to fetch the public REST API. On the other hand, a private subnet has NO DIRECT route to the Internet Gateway. This also means that by default, you won’t have access to the internet if you put your Lambda function here. However, you can create and associate a NAT Gateway, which can be used by your Lambda function in the private subnet to allow access to the Internet. With the NAT Gateway, you don’t need to have an attached Public IP to access the internet. Thus, putting your Lambda function on the private subnet with an associated NAT Gateway, the Lambda function can successfully run and “fetch data from a public REST API”
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo