Skip to main content

Configuring VPC in WhaTap Forwarder

Note

This document guides you to additional settings required in the VPC environment to use WhaTap Forwarder. First install WhaTap Forwarder. For more information, see the following.

WhaTap Forwarder collects the AWS logs for AWS Cloudwatch LogGroup and S3. Use the AWS Lambda function for installation. AWS Lambda does not start from VPC (Virtual Private Cloud) by default. However, with the following additional settings, WhaTap Forwarder can be started in the VPC environment.

Modifying the Lambda execution role

  1. On the AWS Lambda Function console, select WhaTap Forwarder.

  2. On the Configuration tab, select Execution role in Permissions to go to the AWS IAM console.

    Lambda Execution Role

  3. Go to Permissions policies under the IAM console's Permissions tab.

  4. Select forwarderpolicy in the policy list to go to the policy editing screen.

    IAM Console

  5. Select JSON tab and then copy and paste the following policy. The policy creates, defines, and deletes ENI.

IAM Policy

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:{AWS REGION}:{AWS ACCOUNT ID}:log-group:/aws/lambda/*",
"Effect": "Allow"
},

"Action": [
"s3:Get*",
"s3:List*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*",
"Effect": "Allow"
}
]
}

VPC configuration

  1. On the AWS Lambda Function console, select WhaTap Forwarder.

  2. In VPC under the Configuration tab, select Edit to go to the VPC editing screen.

    VPC Editing

  3. Seeing the following, set VPC, Subnets, and Security groups, and then select Save to save the results.

    Subnet and Security Group

    Note

    Subnets

    • Access the Internet through IGW with Public IP of the NAT Gateway.

    • To connect the Internet via IGW, Public IP is required. ENI of Lambda cannot allocate Public IP.

    • The request is not sent to Private Subnet, the Internet gateway. Accordingly, select a subnet on which outbound traffic is routed to NAT Gateway.

    • WhatTap Forwarder in Private Subnet and Public Subnet

    Subnet sc

    Note

    Security groups

    • A security group with the outbound open is required.