Problem of connection between lambda function and MySQL on RDS

1
votes

I am trying to access a MySQL database on Amazon RDS from an AWS Lambda Python function. After running test, it give a error of connection failed:

"errorMessage": "2019-05-27T15:14:26.967Z f6e8ae8d-1dfc-4be5-9e00-a2c937e4ca2c Task timed out after 3.00 seconds"

I believe that is cause by the configuration of VPC or NAT or Security Group.

I tried to follow:

But still not working

I have:

  • A default VPC with one Internet Gateway attached
  • 2 subnets with IPv4 CIDR xxx.xx.0.0/20 (subnet001) and xxx.xx.16.0/20 (subnet002) associated with one route table and one Network ACL.
  • NAT Gateway associate with subnet001

My question is:

According to these two tutorials, I will need one VPC, four subnets (1,2,3,4), first two subnets associate with the main route table that access to local and internet gateway. And second two subnets associate with "lambda-to-internet" route table that access to local and a NAT gateway.

The NAT gateway should associate with subnet 1. Am I correct?

And for network ACL, do all four subnets associate with same ACL?

In Lambda VPC setting, do I add all four subnets or only last two subnets?

rds_host = "my_host_name"
name = "my_username"
password = "my_password"
db_name = "my_db_name"

conn = pymysql.connect(rds_host, user=name, passwd=password, db=db_name, connect_timeout=5)
1
mysqlamazon-web-servicesaws-lambdaamazon-rds
If the Lambda function and RDS instance are in the same VPC you don't need to do all this network configuration stuff. Just assign a security group to the Lambda function, and allow access to that security group as a source in the RDS security group. You would only need to do all this if the Lambda function also needs access to things outside the VPC.Mark B
@Mark B , Yes, the Lambda function and RDS instance are in the same VPC, I didn't do any of those at beginning, but it did not work. So I found these tutorial, but it still not working after I configure follow the steps.henryZ

1 Answers

1
votes

You have a lot of information in your question, so it is hard to reply to it all, but it seems that your basic question is how to allow the AWS Lambda function to connect to the Amazon RDS instance.

Your configuration will need to be:

  • The Lambda function configured to connect to the VPC (any subnet, it doesn't matter)
  • The Amazon RDS instance launched in the same VPC
  • A security group (Lambda-SG) on the Lambda function - it doesn't need any configuration, but it needs to exist
  • A security group (RDS-SG) on the Amazon RDS db instance that permits inbound traffic from Lambda-SG on port 3306

Please note that RDS-SG is permitting a connection from Lambda-SG. A security group can refer to another security group.

Also, increase the timeout for your Lambda function. It is currently set to 3 seconds, which might not be enough to accomplish what you are trying to do. The connection timeout is set to 5 seconds, so you will need the Lambda function to run longer than this time to confirm what is happening.

That's all you need. You don't need a NAT Gateway for this setup. It is only required if you wish the Lambda function to be connect to the VPC AND have the ability to connect to the Internet. You only need one subnet (for the RDS db instance) for what you have described, but your architecture might require more for other resources you are using. Event the Internet Gateway is not needed for the Lambda and RDS bits. But, focus on getting the Lambda-RDS connection going and then you can clean up things.