Configuring VPC in WhaTap Forwarder
This document guides you to additional settings required in the VPC environment to use WhaTap Forwarder. First install WhaTap Forwarder. For more information, see the following.
WhaTap Forwarder collects the AWS logs for AWS Cloudwatch LogGroup and S3. Use the AWS Lambda function for installation. AWS Lambda does not start from VPC (Virtual Private Cloud) by default. However, with the following additional settings, WhaTap Forwarder can be started in the VPC environment.
Modifying the Lambda execution role
-
On the AWS Lambda Function console, select WhaTap Forwarder.
-
On the Configuration tab, select Execution role in Permissions to go to the AWS IAM console.
-
Go to Permissions policies under the IAM console's Permissions tab.
-
Select forwarderpolicy in the policy list to go to the policy editing screen.
-
Select JSON tab and then copy and paste the following policy. The policy creates, defines, and deletes ENI.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:{AWS REGION}:{AWS ACCOUNT ID}:log-group:/aws/lambda/*",
"Effect": "Allow"
},
"Action": [
"s3:Get*",
"s3:List*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
VPC configuration
-
On the AWS Lambda Function console, select WhaTap Forwarder.
-
In VPC under the Configuration tab, select Edit to go to the VPC editing screen.
-
Seeing the following, set VPC, Subnets, and Security groups, and then select Save to save the results.
NoteSubnets
-
Access the Internet through IGW with Public IP of the NAT Gateway.
-
To connect the Internet via IGW, Public IP is required. ENI of Lambda cannot allocate Public IP.
-
The request is not sent to Private Subnet, the Internet gateway. Accordingly, select a subnet on which outbound traffic is routed to NAT Gateway.
-
WhatTap Forwarder in Private Subnet and Public Subnet
NoteSecurity groups
- A security group with the outbound open is required.
-