I have a simple .Net core 2.1 web application that I have deployed to AWS lambda. The application talks to a RDS PostGres database. The web application is able to connect to the RDS PostGres database from my local box but the same application times out connecting to RDS database in production.

What am I missing?

ASP.Net 2.1 Lambda configuration: The lambda has a execution role which has a policy with all rights to all RDS resources. enter image description here enter image description here

IAM: enter image description here

RDS=> Connecting and security tab: enter image description here enter image description here

CloudWatch logs: Clicking on the lambda function=> Monitoring tab=> view logs in cloudwatch logs shows the following error: enter image description here

How will I know that the RDS instance is available on public IP address? The "RDS=> Connecting and security tab=>public accessbility" says yes. Will I need to do anything else in this scenario?Ajit Goel
scrubber.cr3tjir7qaoh.us-east-1.rds.amazonaws.com, this seems to be fine and resolving to public IP and you have allowed in the security group, the next option would to check Network ACL and you need to also check that Subnets you have used for DB should be public subnet (should have IGW in their routing table), BTW, IP is not reachable on port 5432James Dean
Thanks @JamesDean, Before I do that, I need to read up on IAM's, VPC, Subnets, IGW etc .:(Ajit Goel
Just one little thing, having your database exposed to the whole world like this is a terrible idea. Why are you not using a VPC?rdas
good point made by @rdas, you can instead use lambda in vpc and connect to db using private ip.James Dean

1 Answers


So it looks like your RDS's security group is only allowing inbound connections from 1 specific IP,

This will ONLY work in the scenario that your lambda is in a subnet (which it is not) that is associated with an elastic IP, and that elastic IP is the inbound address for your RDS security group.

Lambdas are NOT tied to a specific piece of hardware, and the IP will change each time, so you'll block the inbound connection with the SG.

However, this elastic IP is an unnecessary cost in this instance, there is a better way to do it:

1) create a subnet that the lambda will be initialized in, 2) and then in the lambda settings select you want to launch into a VPC (the same one as the RDS instance) and 3) select those subnets (best practice is >2 in case there is an AZ outage) 4) change the RDS security group settings to allow inbound traffic from the subnet lambdas launch into