Access RDS from Lambda function

3
votes

I have an Aurora cluster in RDS and a Lambda Function.

  • Both are assigned the same VPC.
  • Both have the same subnets (us-east-1 a-f)
  • Both have the same security group assigned
  • Lambda is assigned a role with AmazonRDSFullAccess, AmazonVPCFullAccess, AWSLambdaVPCAccessExecutionRole

When I run the lambda instance, I get connection timeout when trying to connect to Aurora. I'm able to access Aurora locally (with access key added to aws configure).

Any ideas what else I can check for why lambda wouldn't have access to the instance? Thank you

Update: The subnets each have the following configuration: enter image description here route table

2
amazon-web-serviceslambdaamazon-rds
What are the security group rules? You probably need to open the port.Mark B

2 Answers

12
votes

Both have the same security group assigned

It's a common misconception that members of the same security group can communicate with each other by virtue of being members of the same group. This is not the case. Being members of the same group only means they follow the same set of rules.

Members of a security group can only access other members of the group if the group allows access to itself.

Instances associated with a security group can't talk to each other unless you add rules allowing it (exception: the default security group has these rules by default).

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

Add a rule to this group for "MySQL/Aurora" traffic, but instead of entering an IP address, enter the sg-xxxxxxxx identifier of the security group.

0
votes

I had a similar problem until I realized the VPC I was using did not have dns resolution enabled for hosts within the VPC.

The enableDnsSupport option needs to be set for the VPC.

See http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html