AWSSupport-TroubleshootLambdaInternetAccess - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWSSupport-TroubleshootLambdaInternetAccess

Description

The AWSSupport-TroubleshootLambdaInternetAccess runbook helps you troubleshoot internet access issues for a Amazon Lambda function that was launched into Amazon Virtual Private Cloud (Amazon VPC). Resources such as subnet routes, security groups rules, and network access control list (ACL) rules are reviewed to confirm outbound internet access is allowed.

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Linux, macOS, Windows

Parameters

  • AutomationAssumeRole

    Type: String

    Description: (Optional) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.

  • FunctionName

    Type: String

    Description: (Required) The name of the Lambda function you want to troubleshoot internet access for.

  • destinationIp

    Type: String

    Description: (Required) The destination IP address you want to establish an outbound connection to.

  • destinationPort

    Type: String

    Default: 443

    Description: (Optional) The destination port you want to establish an outbound connection on.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • lambda:GetFunction

  • ec2:DescribeRouteTables

  • ec2:DescribeNatGateways

  • ec2:DescribeSecurityGroups

  • ec2:DescribeNetworkAcls

Document Steps

  • aws:executeScript - Verifies the configuration of various resources in your VPC where the Lambda function was launched.

  • aws:branch - Branches based on whether the Lambda function specified is in a VPC or not.

  • aws:executeScript - Reviews the route table routes for the subnet where the Lambda function was launched, and verifies that routes to a network address translation (NAT) gateway, and internet gateway are present. Confirms the Lambda function is not in a public subnet.

  • aws:executeScript - Verifies the security group associated with the Lambda function allows outbound internet access based on the values specified for the destinationIp and destinationPort parameters.

  • aws:executeScript - Verifies the ACL rules associated with the subnets of the Lambda function and the NAT gateway allow outbound internet access based on the values specified for the destinationIp and destinationPort parameters.

Outputs

checkVpc.vpc - The ID of the VPC where your Lambda function was launched.

checkVpc.subnet - The IDs of the subnets where your Lambda function was launched.

checkVpc.securityGroups - Security groups associated with the Lambda function.

checkNACL.NACL - Analysis message with resource names. LambdaIp refers to the private IP address of the elastic network interface for your Lambda function. The LambdaIpRules object is only generated for subnets that have a route to a NAT gateway. The following content is an example of the output. 

{
   "subnet-1234567890":{
      "NACL":"acl-1234567890",
      "destinationIp_Egress":"Allowed",
      "destinationIp_Ingress":"notAllowed",
      "Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress rule. Please allow the destination IP / destionation port in Ingress rule",
      "LambdaIpRules":{
         "{LambdaIp}":{
            "Egress":"notAllowed",
            "Ingress":"notAllowed",
            "Analysis":"This is a NAT subnet NACL. It does not have ingress or egress rule allowed in it for Lambda's corresponding private ip {LambdaIp} Please allow this IP in your egress and ingress NACL rules"
         }
      }
   },
   "subnet-0987654321":{
      "NACL":"acl-0987654321",
      "destinationIp_Egress":"Allowed",
      "destinationIp_Ingress":"notAllowed",
      "Analysis":"This NACL has an allow rule for Egress traffic but there is no Ingress rule. Please allow the destination IP / destionation port in Ingress rule"
   }
}

checkSecurityGroups.secgrps - Analysis for the security group associated with your Lambda function. The following content is an example of the output.

{
   "sg-123456789":{
      "Status":"Allowed",
      "Analysis":"This security group has allowed destintion IP and port in its outbuond rule."
   }
}

checkSubnet.subnets - Analysis for the subnets in your VPC associated with your Lambda function. The following content is an example of the output.

{
   "subnet-0c4ee6cdexample15":{
      "Route":{
         "DestinationCidrBlock":"8.8.8.0/26",
         "NatGatewayId":"nat-00f0example69fdec",
         "Origin":"CreateRoute",
         "State":"active"
      },
      "Analysis":"This Route Table has an active NAT gateway path. Also, The NAT gateway is launched in public subnet",
      "RouteTable":"rtb-0b1fexample16961b"
   }
}