How to properly connect AWS Lambda to RDS in VPC?

5
votes

I am trying to build a graphQL API with Serverless Framework on AWS-Lambda using Apollo-Server-Lambda etc. I need to use a not publicly available PostgreSQL RDS instance.

I can get lambdas up and running and sending back requests when not in VPC. I can get a Postgres RDS Database up and running and connected to PgAdmin (when in publicly available mode).

The problem is once I make the RDS Postgres 'non public' and try to get all these pieces talking together I fail.

I have tried multitude of different approaches.

This is regularly portrayed as magic. It is wonderfully written https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7

I could not get access to Postgres with my lambdas using this. So my first question.

Do I need a NAT gateway for incoming (ingress) api calls to lambdas in a VPC? My current understanding is that maybe I only need a NAT gateway for my lambdas to make outgoing calls to other api's out of aws or things like S3. Is this correct?

Next up. I have made a security group for my lambdas and have added this security group to the inbound list for the security group that was created for RDS. My understanding is this is how the lambdas should gain access to RDS. I have not had such luck. Maybe this is related to public or non public subnets? Maybe this is related to my understanding of the necessity of a NAT?

Basically the only visibility I have been able to get is Lambdas timing out after 20 or 30 seconds depending on my limit when they are trying to connect to postgres in private. Cloudwatch logs reveal nothing else.

Lastly, for now ????, what is the best way to connect my dev machine to Postgres once it is 'not public'? I have my machines IP listed for inbound TCP/IP to port 5432 to postgres in the RDS security group but that does not seem to give me the access I was hoping for. Do I really need a VPN connected to VPC? Whats the simplest way?

I have done this tutorial with basic alterations for Postgres https://docs.aws.amazon.com/lambda/latest/dg/vpc-rds.html

I have read and considered answers from this question & more Allow AWS Lambda to access RDS Database

I have had many success-full deployments with serverless framework with many variations on serverless.yml config to try these options or else I would show a specific one I thought was failing but this is more broadly that I cant seem to grasp exactly how all these VPC, security groups, routing tables etc are supposed to interact.

Any help greatly appreciated!

2
amazon-web-servicesaws-lambdaamazon-rdsamazon-vpcserverless-framework
Instead of the security group for my lambdas, can you add the subnet CIDR (which is configured for the Lambda) to the inbound rule and try to access it? You don't need a NAT gateway if all your resources (Lambda, RDS etc.) are in a VPC.krishna_mee2004

2 Answers

11
votes

Obviously, Lambda needs to be setup to run inside the same VPC, but I'm assuming you already got that.

You need to:

  1. Create a security group (SG) and associate it with the Lambda function.
  2. Now, open the SG associated with the RDS instance (not the one you created above).
  3. Inside the RDS SG, go to "Inbound" tab and click "Edit"
  4. Select "PostgreSQL" in the Type column. In the Source column, select "Custom" in the select dropdown and enter the Lambda SG ID in the input text (if you start typing "sg-", it will show you all your SGs).

Does it work?

2
votes

Make sure your Lambda function is in the VPC, and the security group allows connections from IP addresses within the subnet of the VPC. The amount of available IP addresses is going to affect how many lambda functions can be run concurrently. Also make sure that the Lambda function's role has the ability to describe the VPC (the AWSLambdaVPCAccessExecutionRole policy should do the job for you).