Debugging AWS Services with Lambda

Say you have connectivity issues between AWS services in a VPC. Rather than change the existing system, you can debug it using a lambda that runs HTTP requests. I’ve included an example below. You can use this lambda to test many URLs and configurations quickly to find a range of problems.

Note that to communicate with AWS services, you must “sign” AWS HTTP requests. This allows the destination AWS service to know what IAM role the lambda runs as. This example uses a library called aws4 to sign URLs.

This lambda is small enough to edit through the AWS console, so you can fiddle with the requests once you have it deployed.

exports.handler = (event, context, cb) => {
  const aws4 = require('aws4');
  const https = require('https');
 
  // Update this to match the AWS url you want to test.
  const signed = aws4.sign(
    {
      host: 'test.us-east-1.es.amazonaws.com', 
      path: '/'
    });
 
  console.log("Requesting " + signed);
 
  https.get(signed, (resp) => {
    let data = '';
 
    resp.on('data', (chunk) => {
      console.log('received ' + chunk);
      data += chunk;
    });
 
    resp.on('end', () => {
      console.log('DATA COMPLETE: ' + JSON.parse(data).explanation);
      cb();
    });
  }).on("error", (err) => {
    console.log("ERRORED OUT: " + err.message);
 
    cb();
  });
};

Once you deploy this lambda, set the VPC, security group, subnets, and role and run it through the AWS console – you can name the test event anything you want.

If the lambda times out, you likely have a network connectivity problem – e.g. a security group doesn’t allow outbound traffic, a firewall prevents traffic to the destination, etc. If you do have network connectivity but it fails quickly, you may have a problem with IAM roles or the HTTPS certificate on the destination.

Note you can’t do npm install within a lambda because lambda has a readonly filesystem – I tried doing this first to create something you could just paste into the lambda console.

The follow script will deploy – you can also drop the VPC settings entirely and set them through the console.

zip -r lambda.zip .
 
aws lambda create-function \
  --function-name test-lambda \
  --zip-file fileb://lambda.zip \
  --runtime 'nodejs10.x' \
  --handler 'index.handler' \
  --role 'arn:aws:iam::***:role/***' \
  --vpc-config 'SubnetIds=subnet-***,subnet-***,SecurityGroupIds=sg-***'(base)

Full source here