amazon web services - AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access

Question

As per this document, if I need to access internet resources from my Lambda function with VPC access, I need to set up a NAT gateway.

So I followed this guide to set up a NAT gateway. However, at the stage when I need to edit the route tables of my subnet to add an entry with destination: 0.0.0.0/0 and target as my NAT gateway's id, I got an error that

An entry with this destination already exists

I checked and noticed that for that existing entry, the target was an internet gateway for my VPC. If I replace that entry with the NAT gateway id, I cannot access any of the EC2 instances in that VPC through SSH from the outside world. How can I achieve a solution where all the EC2 instances in this VPC:

• Are accessible only via SSH and the rest of the traffic is blocked
• Are able to completely access other EC2 instances in the same VPC
• Lambda function having access to this VPC can access outside resources like SQS and Kinesis.

Answer 1

I found a good detailed tutorial on how to allow your lambda to connect to both VPC ressources and the internet here: https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7

A quick walk-through:

• setup new subnets for your lambda (with CIDRs not overlapping your existing subnets). You need:
  • one subnet which will be pointing to an Internet Gateway (IGW) to be used by the NAT (let's call it A)
  • several pointing to the NAT to be used by your lambda (B, C and D)
• add a NAT gateway: set the subnet to A
• set your lambda VPC subnets to B, C and D
• create 2 routes table:
  • one that points to your NAT with destination 0.0.0.0/0
  • one that points to your IGW (should already exists) with destination 0.0.0.0/0
• update the subnet A to use the route table pointing to the IGW
• update the subnets B, C and D to use the route table pointing to the NAT

Hope this helps.