AWS combining public accessible RDS with Lambdas accessing Internet?

1
votes

I have a VPC with 3 private and one public subnets. In the 3 private subnets i host the RDS and the Lambda functions. In the public subnet i host a NAT Gateway. The 3 private subnets point via a routing table to the NAT Gateway. Within this setup my Lambda functions successfully communicate with my RDS and the Internet, but I cannot access the RDS from my home computer as the NAT is blocking external access to the VPC. My question is now:

How do I let the Lambda functions access the RDS within the VPC and make the RDS public accessible from my computer at the same time?

P.S.: Until now I always have to change manually the routing of my 3 private subnets to the IGW to make the RDS accessible.

3
amazon-web-servicesaws-lambdaamazon-rdsnatvpc

3 Answers

3
votes

First a clarification: The NAT is not blocking external access to the VPC. A NAT Gateway simply provides Internet access to resources in your VPC that don't have public IP addresses. The NAT is unrelated to your being able to access the VPC externally. In fact you haven't done anything to allow external access yet.

You have the following options to access your RDS instance externally:

  • Add a VPN server to your VPC, in the public subnet, which would allow you to connect to the RDS server after establishing a VPN connection.
  • Move your RDS server to the public subnet and enable the "publicly accessible" flag, which would allow you to connect to the RDS server directly.
  • Create a Linux Bastion Host in the public subnet, which would allow you to connect to the RDS server via SSH port forwarding.

In any of these scenarios, as long as the Lambda function and the RDS instance are in the same VPC, then the Lambda function will have access to the RDS instance. And as long as the Lambda function remains in the private subnet(s) with a NAT Gateway it will have Internet access.

1
votes

You need to create a Bastion Host in your public subnet. A Bastion Host provides connectivity from the public Internet to your private VPC subnets.

A common Bastion Host for AWS is OpenVPN. You can find preconfigured AMIs in the AWS Marketplace.

AWS Security: Bastion Host, NAT instances and VPC Peering

OpenVPN

0
votes

There is a guide on gist.github by user reggi titled How to setup AWS lambda function to talk to the internet and VPC. The guide walks you through the steps for setting up a AWS Lambda to talk to the internet and a VPC.

You can find there in the comments solutions for the complexities of connecting lambdas to RDS and the internet whilst maintaining a publicly accessible RDS without a VPN, some of this information is in the comments. I have added this information here in case the information becomes unavailable.

To allow lambdas to have internet access, RDS access and to allow the RDS to be publicly available (hopefully within a specific ip range - i.e your static IP), your RDS's subnet group must contain only public subnets; that is subnets which have a route table that points 0.0.0.0/0 to an IGW which is attached to your VPC. You must create a subnet group in Amazon RDS > Subnet Groups which contains the public subnets and then launch an RDS instance with this new subnet group (or configure your current system to these specifications).

https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7