Create VPC Endpoint

Because your Lambda function will need to communicate with your Managed Blockchain network, it will need to execute within the same VPC as your Fabric client and belong to the same security group (HFClientAndEndpoint). Once a Lambda function is added to a VPC, it loses its ability to access many AWS services by default without specific network settings. One convenient solution to this constraint is to create a VPC endpoint in the same VPC and security group that will expose specific AWS services for the Lambda function to use. In this case, it will need access to AWS Secrets Manager.

To create this endpoint, execute the following command from your Cloud9 terminal.

export INTERFACE=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/)
export SUBNETID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/subnet-id)
export VPCID=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/vpc-id)
export SECURITY_GROUPS=$(curl --silent http://169.254.169.254/latest/meta-data/network/interfaces/macs/${INTERFACE}/security-group-ids)
export GROUPID=$(aws ec2 describe-security-groups --group-ids $SECURITY_GROUPS --filter "Name=group-name, Values=HFClientAndEndpoint" --query "SecurityGroups[0].GroupId" --output text)
export DEFAULT_GROUP_ID=$(aws ec2 describe-security-groups --filter "Name=group-name, Values=default" --query "SecurityGroups[0].GroupId" --output text)
aws ec2 create-vpc-endpoint --vpc-endpoint-type Interface --vpc-id $VPCID --service-name com.amazonaws.us-east-1.secretsmanager --subnet-id $SUBNETID --security-group-ids "$GROUPID" "$DEFAULT_GROUP_ID"