AWS Lambda in VPC with RDS and Internet Connection

1
votes

I set up an Aurora Database (provisioned) in a newly created VPC and no public accessibility. As I want to run a Lambda function in the VPC which is able to both, access the RDS instances as well as the Internet, I changed the routing tables of the RDS instances to allowing traffic from a NAT gateway which I placed in a public subnet in the same VPC.

For the Lambda function itself, I created a separate private subnet, also just allowing traffic from the NAT gateway in the routing table. I assigned this subnet and VPC to the Lambda function in the Lambda settings. The internet connection works fine with this configuration but I can not access the database. That's why I followed this post (https://serverfault.com/questions/941886/connect-an-aws-lambda-function-triggered-by-api-gateway-to-aurora-serverless-mys) and added the IP CIDR of the Lambda subnet to the Security Group of the RDS instances (called rds-launch-wizard).

Still, the Lambda function is able to interact with the public internet but can not connect to the RDS instances (timeout). I'm running out of ideas, what is wrong here?

1
aws-lambdaamazon-rdsamazon-vpc
I can not really see how this solves my issue. Why do you put the lambda function into both subnets (private and public) and not create a separate private subnet as described in my link above? How to restrict database access (private subnet access) in your example?MartinaW
There are two separate subnets: a public and a private one. The public is responsible for Internet Access through an Internet Gateway and the private is responsible for VPC access via a NAT GatewayThales Minussi
I put the Lambda on both because it needs access to both the Internet and your RDS instance (which also turns out to be your problem). The public subnet will route requests to other AWS Services/Internet and the private will route it to the VPC (like RDS, ElasticSearch, etc)Thales Minussi
Thanks ThalesMinussi for you quick reply. Please check aws.amazon.com/premiumsupport/knowledge-center/… - how would you configure your VPC when you follow the instructions including that Lambda functions should only be associated with private subnets?MartinaW
@ThalesMinussi A Lambda function in a Public Subnet is not able to communicate with the Internet. It does not receive a Public IP address.John Rotenstein

1 Answers

7
votes

The configuration should be:

  • A Public subnet with a NAT Gateway (and, by definition, an Internet Gateway)
  • A Private subnet with the Amazon RDS instance
  • The same, or a different, Private Subnet associated with the Lambda function
  • The Private Subnet(s) configured with a Route Table with a destination of 0.0.0.0/0 to the NAT Gateway

Then consider the Security Groups:

  • A security group for the Lambda function (Lambda-SG) that permits all outbound access
  • A security group for the RDS instance (RDS-SG) that should permit inbound access from Lambda-SG on the appropriate database port

That is, RDS-SG is allowing incoming traffic from Lambda-SG (by name). There is no need to use CIDRs in the security group.

The Lambda function will connect to a private subnet via an Elastic Network Interface (ENI) and will be able to communicate both with the RDS instance (directly) and with the Internet (via the NAT Gateway).

Please note that you are not directing "traffic from the NAT Gateway". Rather, you are directing Internet-bound traffic to the NAT Gateway. Nor is there such a thing as "routing tables of the RDS instances" because the Route Tables are associated with subnets, not RDS.