Unable to connect to Public RDS in VPC via Lambda

0
votes

There are couple of questions around this, but none seem to solve my specific problem.

So i have a publicly accessible RDS instance in a VPC with two Security Groups : one the default SG for VPC & other to allow incoming connections from our developer machines. I am able to successfully connect to this RDS via my developer machines(personal laptops/PCs) as a result of the 2nd Security group.

Now, when i try to connect to this RDS via a Lambda running in same VPC, it fails with this error : "java.net.UnknownHostException: ****.rds.amazonaws.com: Name or service not known "

My lambda is getting launched in the same VPC as RDS and i have chosen all the RDS VPC subnets for the lambda. It also is tied to the default VPC security group.

Below is my understanding(obviously not right as connection is not working), what am i missing here?

The Default VPC SG(security group) associated to the lambda has outgoing rules set as 0.0.0.0/0 , hence it should allow lambda to access the whole world; so at least the RDS in VPC should be accessible.

The same default VPC SG should allow the RDS to accept incoming connections from any ip in the SG subnets(inbound rule mentions SG/default) ; hence lambda should be able to access it.

2
amazon-web-servicesaws-lambdaamazon-rdsamazon-vpcaws-security-group
Where are your "developer machines"? Are they Amazon EC2 instances in the same VPC, or are they computers connected to the Internet?John Rotenstein
Some Computers connected to the internet. The problem is with the lambdas not being able to access RDS in VPC.nikel
See if this helps stackoverflow.com/questions/67230097/…GSSwain
I am using the default VPCs for this purpose, and both of the flags mentioned in the post are enabled for this VPCnikel

2 Answers

0
votes

The error message is indicating that it cannot resolve the DNS Name of the RDS database (Name or service not known).

I suspect that this is due to the fact that the RDS instance has been configured as publicly accessible, which gives it a public DNS Name and IP address.

An AWS Lambda function connected to a VPC will send all network traffic via the VPC. It does not have access to the Internet unless there is a NAT in the VPC and the Lambda function is connected to a Private Subnet. Thus, the connection attempts from the Lambda function are possibly attempting to resolve a Public DNS Name, but is failing to do so.

This could likely be resolved by changing the RDS instance to be Publicly Available = No. This not only makes it safer, but it means that the DNS Name will resolve to a Private IP address, which should work correctly with a Lambda function connected to the VPC.

Alternatively, you could configure the Lambda function to not be connected to the VPC. This gives it Internet access, so it will connect to the RDS database just like any other computer on the Internet.

0
votes

So the problem was that in my developer machine, I was using the db instance endpoint , but in lambda i was using the cluster endpoint. They look similar, hence i was not able to catch it earlier. On fixing the lambda to use the instance endpoint, both lambda & developer machines can successfully connect to the RDS.

However, I am now curious why the cluster url is not accessible, but i will create another question for that.