Invoke aws lambda from a ec2

I'm trying to invoke a lambda from an ec2. They are both in the same self-referencing security group, the same vpc, even the same subnet.

When I invoke the lambda from my rails server on the ec2 I get /home/ubuntu/.rbenv/versions/3.1.3/lib/ruby/3.1.0/net/http.rb:1018:in initialize': Failed to open TCP connection to lambda.us-east-1.amazonaws.com:443 (execution expired) (Seahorse::Client::NetworkingError)\ If add a fully open security group (all traffic from 0.0.0.0/0 for both inbound and outbound) the it works as expected and I get a response from the lambda. I can't figure out what is wrong with the sg. Anyone have any advice?

Answer

It doesn't matter that the function is configured to run in the same VPC as the EC2 instance and use the same security group. Lambda functions aren't sitting there running 100% of the time and listening for incoming requests. When you invoke a Lambda function, you connect to the public AWS Lambda service API to request that the AWS Lambda service create a new invocation of your Lambda function for you. That is why the error message is saying that it is trying to connect to lambda.us-east-1.amazonaws.com, which is obviously not an address that exists inside your VPC.

It sounds like your EC2 instance has Internet access already, since opening up the outbound rules in the security group appear to solve the issue. You will have to leave all outbound traffic open in the EC2 instance's security group in order to allow it to connect to the Internet in order for it to communicate with the AWS Lambda service and trigger new invocations of the Lambda function.

Alternatively, you could add an AWS Lambda Read more to your VPC, which would allow your EC2 instance to connect to the AWS Lambda service as if it existed inside the VPC. Then you would only need to open up the EC2 instance's security group to allow it to connect to the VPC Endpoint's Security group.

I highly recommend using different security groups for different resource types (EC2, Lambda, Endpoints, etc.) since each one has different inbound and outbound network requirements, and the only way to properly secure them all is to have different security groups with different rules for each one.