Datomic Cloud with AWS Lambda


#1

Hi,

I am trying to access a Datomic cloud instance via an AWS Lambda function but am unable to make a connection (it just times out). The database and Lambda functions are running in the same account and region.

I have confirmed the Datomic cloud instance setup correctly and can access it from a Bastion connection on my local computer without any issues.

I have duplicated the client config settings, minus the proxy property, to make the connection in the Lambda function. I have also configured the Lambda function to access the Datomic VPC, I have included all 3 Datomic subnets that were created and specified the Datomic apps security group.

I have also tried adding the datomic-admin policy to the Lambda role and to the authenticated user pool role. Unfortunately the connection continues to just time out.

I’m very new to AWS (and Datomic for that matter), so I’m sure I have just overlooked something or done something stupid, but I’ve been struggling with this for a couple of days now and am clearly not getting anywhere.

Please can you let me know how I need to configure my Lambda functions (running Java 8, although written in Clojure 1.9) to access the Datomic cloud database?

Many thanks,

Paul


#2

Hi Paul,

Are you running this Lambda in the Datomic VPC or in another VPC?

Thanks,
Jaret


#3

Hi,

I have set it to access the Datomic VPC via the Network settings in the Lambda function. I’m not sure how to actually set the Lambda function to run in the Datomic VPC directly.

Thanks,
Paul


#4

I was able to get this working after reading the following from the AWS docs:

When you add VPC configuration to a Lambda function, it can only access resources in that VPC. If a Lambda function needs to access both VPC resources and the public Internet, the VPC needs to have a Network Address Translation (NAT) instance inside the VPC.

Source for that is here: https://docs.aws.amazon.com/lambda/latest/dg/vpc.html

Datomic apps access both VPC resources and apparently the public internet in order to access S3, so you can’t put them in the existing public subnets. What you have to do is create a few private subnets in the Datomic VPC, and configure them with a NAT Gateway for internet access as the docs say. These are then what the Lambda function goes in.


#5

It should also be noted that it can take a very long time to connect - on a cold Java instance it can easily take up to 30 seconds, so make sure you increase the Lambda timeout settings.


#6

You can also create an S3 endpoint in the Datomic Cloud VPC instead of creating separate subnets:

aws ec2 create-vpc-endpoint --vpc-id <DatomicCloud VPC id> --service-name com.amazonaws.us-east-1.s3 --route-table-ids <DatomicCloudRouteTable id>

To find your and you will want to review the tagged resources under the VPC and Route Table consoles respectively.

See the following docs on finding resources by tags:
https://docs.datomic.com/cloud/operation/monitoring.html#tags


#7

You can also create an S3 endpoint in the Datomic Cloud VPC instead of creating separate subnets

This is a great tip. Any chance that this will be added to the official Datomic Cloud docs?