Getting this error:
```Error: Lambda Functions in ...
# ssta
Adrián Mouly
10/28/2021, 5:14 AMGetting this error:
Copy code
Error: Lambda Functions in a public subnet can NOT access the internet. If you are aware of this limitation and would still like to place the function int a public subnet, set `allowPublicSubnet` to trueints
Slawomir Stec
10/28/2021, 5:30 AMI think under function options or defaultFunctionProps
a
Adrián Mouly
10/28/2021, 5:31 AMYeah found it, thank you!
Adrián Mouly
10/28/2021, 5:31 AMDefault function props made it 🙂
Adrián Mouly
10/28/2021, 5:31 AMNot sure why this error, doesn’t makes sense to me.
s
Slawomir Stec
10/28/2021, 5:42 AMLambda don’t have public IP. Placing it in the public subnet and send traffic via IGW allows it to access the internet.
Slawomir Stec
10/28/2021, 5:44 AMMost of the time if you need access private VPC resources you don’t it
Slawomir Stec
10/28/2021, 5:44 AMYou can use VPC endpoint
a
Adrián Mouly
10/28/2021, 5:47 AMYeah.
Adrián Mouly
10/28/2021, 5:47 AMWell in DEV I have 3 private and 2 public subnet.
Adrián Mouly
10/28/2021, 5:47 AMAnd I don’t get that error.
Adrián Mouly
10/28/2021, 5:47 AMMaybe this checks if there is almost 1 private?
s
Slawomir Stec
10/28/2021, 5:53 AMSorry NAT in private not IGW
Slawomir Stec
10/28/2021, 5:53 AMThat is why this flag is about
Slawomir Stec
10/28/2021, 5:55 AMYou place your lambda in public subnet
Slawomir Stec
10/28/2021, 5:55 AMAnd expect to have an access to internet
Slawomir Stec
10/28/2021, 5:55 AMWhich is no true
Slawomir Stec
10/28/2021, 5:55 AMProbably you should add it to private and use NAT
Slawomir Stec
10/28/2021, 5:56 AMAnd allowPublicSubnet is a safeguard to avoid this mistake
Slawomir Stec
10/28/2021, 6:01 AMMaybe you miss ‘vpcSubnets’ declaration to explicitly select private or public subnets
Slawomir Stec
10/28/2021, 6:01 AMSorry typing from phone but smth like
Slawomir Stec
10/28/2021, 6:02 AMFunction: { vpcSubnets:{ subnetType: SubnetType.PRIVATE_WITH_NAT
a
Adrián Mouly
10/28/2021, 6:04 AMYeah could be that.
Adrián Mouly
10/28/2021, 6:04 AMI only put all the VPCs from lookup.
Adrián Mouly
10/28/2021, 6:04 AMI do this…
1. lookup VPC by id
2. assign VPC on function by parameter
vpc:Adrián Mouly
10/28/2021, 6:05 AMI don’t specify the subnets, it looks like selects them from the VPC reference.
s
Slawomir Stec
10/28/2021, 6:09 AMI usually use ISOLATED to avoid NAT cost and GatewayEndpoint for s3 and dynamo
Slawomir Stec
10/28/2021, 6:10 AMwhat is your lambda connecting to?
a
Adrián Mouly
10/28/2021, 6:10 AMYeah, this is one of the concerns I have.
Adrián Mouly
10/28/2021, 6:11 AMConnected to RDS, S3, EventBridge, SQS… others.
Adrián Mouly
10/28/2021, 6:11 AMBut mostly RDS is the problem.
Adrián Mouly
10/28/2021, 6:11 AMI’m still not good on VPC design 😞
Adrián Mouly
10/28/2021, 6:11 AMStill having troubles to wrap my head around GW and NAT.
s
Slawomir Stec
10/28/2021, 6:12 AMhmm I would try do the ISOLATED subnet as lambda target and VPC endpoint
a
Adrián Mouly
10/28/2021, 6:13 AMOk, going to check it.
s
Slawomir Stec
10/28/2021, 6:18 AMBut for this setup with ISOLATED subnet VPN endpoint will be required for sst local mode (if you don’t use local RDS instance in dev mode)
a
Adrián Mouly
10/28/2021, 6:24 AMYeah makes sense.
Adrián Mouly
10/28/2021, 6:24 AMI still need to figure out the sst local mode with RDS.
Adrián Mouly
10/28/2021, 6:24 AMPlanning to use VPN.
s
Slawomir Stec
10/28/2021, 6:30 AMI remember it worked very well. One hint, I added CNAME to Route53 like dev.rds.com prod.rds.com etc pointing to RDS cluster endpoint to have always same url for debugging between stacks redeploy.
a
Adrián Mouly
10/28/2021, 6:31 AM😮
Adrián Mouly
10/28/2021, 6:31 AMDidn’t think about it.
s
Slawomir Stec
10/28/2021, 6:31 AMSaves some time
a
Adrián Mouly
10/28/2021, 6:33 AMYeah going to take a look into that too.