Getting this error: ```Error: Lambda Functions in ...
# sst
Getting this error:
Copy code
Error: Lambda Functions in a public subnet can NOT access the internet. If you are aware of this limitation and would still like to place the function int a public subnet, set `allowPublicSubnet` to true
Apparently one of my AWS accounts has wrong setup. Can anybody tell me where this flag has to be setup? Also looks like there is a typo… it says
I think under function options or defaultFunctionProps
Yeah found it, thank you!
Default function props made it 🙂
Not sure why this error, doesn’t makes sense to me.
Lambda don’t have public IP. Placing it in the public subnet and send traffic via IGW allows it to access the internet.
Most of the time if you need access private VPC resources you don’t it
You can use VPC endpoint
Well in DEV I have 3 private and 2 public subnet.
And I don’t get that error.
Maybe this checks if there is almost 1 private?
Sorry NAT in private not IGW
That is why this flag is about
You place your lambda in public subnet
And expect to have an access to internet
Which is no true
Probably you should add it to private and use NAT
And allowPublicSubnet is a safeguard to avoid this mistake
Maybe you miss ‘vpcSubnets’ declaration to explicitly select private or public subnets
Sorry typing from phone but smth like
Function: { vpcSubnets:{ subnetType: SubnetType.PRIVATE_WITH_NAT
Yeah could be that.
I only put all the VPCs from lookup.
I do this… 1. lookup VPC by id 2. assign VPC on function by parameter
I don’t specify the subnets, it looks like selects them from the VPC reference.
I usually use ISOLATED to avoid NAT cost and GatewayEndpoint for s3 and dynamo
what is your lambda connecting to?
Yeah, this is one of the concerns I have.
Connected to RDS, S3, EventBridge, SQS… others.
But mostly RDS is the problem.
I’m still not good on VPC design 😞
Still having troubles to wrap my head around GW and NAT.
hmm I would try do the ISOLATED subnet as lambda target and VPC endpoint
Ok, going to check it.
But for this setup with ISOLATED subnet VPN endpoint will be required for sst local mode (if you don’t use local RDS instance in dev mode)
Yeah makes sense.
I still need to figure out the sst local mode with RDS.
Planning to use VPN.
I remember it worked very well. One hint, I added CNAME to Route53 like etc pointing to RDS cluster endpoint to have always same url for debugging between stacks redeploy.
Didn’t think about it.
Saves some time
Yeah going to take a look into that too.