Datomic Cloud with AWS Lambda

Hi,

I am trying to access a Datomic cloud instance via an AWS Lambda function but am unable to make a connection (it just times out). The database and Lambda functions are running in the same account and region.

I have confirmed the Datomic cloud instance setup correctly and can access it from a Bastion connection on my local computer without any issues.

I have duplicated the client config settings, minus the proxy property, to make the connection in the Lambda function. I have also configured the Lambda function to access the Datomic VPC, I have included all 3 Datomic subnets that were created and specified the Datomic apps security group.

I have also tried adding the datomic-admin policy to the Lambda role and to the authenticated user pool role. Unfortunately the connection continues to just time out.

I’m very new to AWS (and Datomic for that matter), so I’m sure I have just overlooked something or done something stupid, but I’ve been struggling with this for a couple of days now and am clearly not getting anywhere.

Please can you let me know how I need to configure my Lambda functions (running Java 8, although written in Clojure 1.9) to access the Datomic cloud database?

Many thanks,

Paul

Hi Paul,

Are you running this Lambda in the Datomic VPC or in another VPC?

Thanks,
Jaret

Hi,

I have set it to access the Datomic VPC via the Network settings in the Lambda function. I’m not sure how to actually set the Lambda function to run in the Datomic VPC directly.

Thanks,
Paul

I was able to get this working after reading the following from the AWS docs:

When you add VPC configuration to a Lambda function, it can only access resources in that VPC. If a Lambda function needs to access both VPC resources and the public Internet, the VPC needs to have a Network Address Translation (NAT) instance inside the VPC.

Source for that is here: Connecting outbound networking to resources in a VPC - AWS Lambda

Datomic apps access both VPC resources and apparently the public internet in order to access S3, so you can’t put them in the existing public subnets. What you have to do is create a few private subnets in the Datomic VPC, and configure them with a NAT Gateway for internet access as the docs say. These are then what the Lambda function goes in.

It should also be noted that it can take a very long time to connect - on a cold Java instance it can easily take up to 30 seconds, so make sure you increase the Lambda timeout settings.

You can also create an S3 endpoint in the Datomic Cloud VPC instead of creating separate subnets:

aws ec2 create-vpc-endpoint --vpc-id <DatomicCloud VPC id> --service-name com.amazonaws.us-east-1.s3 --route-table-ids <DatomicCloudRouteTable id>

To find your and you will want to review the tagged resources under the VPC and Route Table consoles respectively.

See the following docs on finding resources by tags:
https://docs.datomic.com/cloud/operation/monitoring.html#tags

You can also create an S3 endpoint in the Datomic Cloud VPC instead of creating separate subnets

This is a great tip. Any chance that this will be added to the official Datomic Cloud docs?

This is sheer curiosity, but why does a cold Java instance on lambda take so long to connect to a Datomic Cloud db? ~35 seconds in my tests!! From my dev laptop it take 2-4s.