VPC에 있는 Lambda가 외부 DB에 액세스하려면, NAT Gateway를 사용하여 인터넷 액세스를 제공해야 한다.
Terraform으로 NAT Gateway를 설정하고, Lambda가 NAT Gateway를 통해 외부로 액세스할 수 있도록 라우팅 테이블을 구성하는 코드
Terraform 코드
provider "aws" {
region = "ap-northeast-2"
}
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_support = true
enable_dns_hostnames = true
tags = {
Name = "example-vpc"
}
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
map_public_ip_on_launch = true
availability_zone = "ap-northeast-2a"
tags = {
Name = "example-public-subnet"
}
}
resource "aws_subnet" "private" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.2.0/24"
availability_zone = "ap-northeast-2a"
tags = {
Name = "example-private-subnet"
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.main.id
tags = {
Name = "example-igw"
}
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
tags = {
Name = "example-public-rt"
}
}
resource "aws_route" "public_route" {
route_table_id = aws_route_table.public.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
resource "aws_route_table_association" "public" {
subnet_id = aws_subnet.public.id
route_table_id = aws_route_table.public.id
}
resource "aws_eip" "nat" {
vpc = true
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public.id
tags = {
Name = "example-nat-gateway"
}
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
tags = {
Name = "example-private-rt"
}
}
resource "aws_route" "private_route" {
route_table_id = aws_route_table.private.id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.private.id
route_table_id = aws_route_table.private.id
}
resource "aws_lambda_function" "example" {
function_name = "example-lambda"
role = aws_iam_role.lambda_exec.arn
handler = "index.handler"
runtime = "python3.8"
source_code_hash = filebase64sha256("lambda.zip")
environment {
variables = {
DB_HOST = "external-db-host"
}
}
vpc_config {
subnet_ids = [aws_subnet.private.id]
security_group_ids = [aws_security_group.lambda.id]
}
}
resource "aws_security_group" "lambda" {
name = "lambda-sg"
vpc_id = aws_vpc.main.id
ingress {
from_port = 3306 # DB Port (e.g., MySQL)
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # 제한 필요
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "lambda-sg"
}
}
resource "aws_iam_role" "lambda_exec" {
name = "lambda_exec"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "lambda_policy" {
role = aws_iam_role.lambda_exec.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}주요 구성 요소 설명
- NAT Gateway: Lambda가 Private Subnet에 배치되어 있기 때문에, NAT Gateway를 통해 인터넷 액세스를 설정
- Route Table: Private Subnet은 NAT Gateway를 사용해 외부 트래픽을 라우팅
- Lambda Security Group: Lambda가 외부 DB와 통신하도록 Ingress와 Egress 규칙을 설정
- IAM Role: Lambda가 VPC 내에서 실행되도록 필요한 권한을 부여
이 코드를 실행하면 Lambda가 외부 DB에 연결할 수 있는 환경이 구성된다. Subnet과 NAT Gateway가 올바르게 설정되었는지 확인하고, DB 보안 그룹에서 Lambda의 IP를 허용하는 것도 필수
'AWS' 카테고리의 다른 글
| Lambda Cold Start CloudWatch Events vs EventBridge (0) | 2024.12.12 |
|---|---|
| Lambda Cold Start CloudWatch Events 설정 (0) | 2024.12.12 |
| Lambda Cold Start 해결 방법 (Snapstart) (0) | 2024.12.12 |
| Lambda Cold Start 해결 방법 (0) | 2024.12.12 |
| AWS Lambda Log 동적 변경 (1) | 2024.11.29 |