I'm working on a Lambda function that connects to my database and logs metrics to a CloudWatch log stream for diagnostics. My other public Lambdas write to the same log group, creating a centralized log stream. Initially, my Lambda was in a private subnet, so I set up VPC endpoints for Parameter Store and CloudWatch Logs, but those are costly—and I want to avoid them if possible. So, I moved my Lambda to a public subnet. Now, it times out when attempting to connect to Parameter Store, despite having internet access. More perplexingly, it also times out when trying to write to the specific CloudWatch log group meant for central reporting. Can anyone clarify if there's a significant difference in accessing a Lambda's own log group versus others in the same account? I've granted permissions for both, and I'm puzzled about this behavior. Any insights would be appreciated!
3 Answers
It sounds like your Lambda might be struggling due to the lack of a public IP, even in a public subnet. To access the internet, your Lambda needs a NAT Gateway or NAT instance; otherwise, it can't reach external services. Also, note that Lambda manages its default logging directly, so it doesn't go through your VPC when writing logs—this is why you're seeing those timeouts! Keep in mind that having an internet gateway doesn’t equate to public IP access.
You might want to check whether an IPv6 Egress-only Gateway would work for your needs. More of AWS services are gaining IPv6 support, which could save you from needing a NAT Gateway. It's worth looking into if that could pave the way for better connectivity!
When you moved the Lambda to a public subnet, it should technically have internet access, but the lack of a public IP means it can't connect to anything outside your VPC. Make sure to set up a NAT Gateway if you want to reach outside services like Parameter Store. Also, don’t forget that Lambda writing to its logs happens without using your VPC, so that should work just fine without any extra setup.
I see what you're saying! So, if I want to get it working, I'd need to set up a NAT Gateway for those functions in the public subnet to properly connect to the Parameter Store?