Can't connect to RDS aurora from Lambda (timeout)

1
votes

This question has been asked several times, and I've been reading the answer for the past hours, so I'm going to summarise everything here. To get the connection between RDS and lambda, the normal steps are:

  1. Attach the lambda to the same VPC as the database
  2. Create a security group for the lambda
  3. Modify / add a security group for the RDS, in which you allow the VPC's security group as inbound providing the connection port.
  4. Add policy AWSLambdaVPCAccessExecutionRole to lambda function

That's supposed to be it, however it is not working for me. I have checked other possible errors:

  1. DNS of database not found. Solved by setting an internet gateway for the VPC, checked that the DNS is properly resolved
  2. Inbound and Outbound rules of the lambda functions. Solved by setting literally all traffic for both directions.
  3. Outbound rule for DB's security group is set to all traffic and destinations

Note: I can connect to the database via a VPN using another security group, meaning it's not a credential error.

I really don't understand what else I'm missing at this point

1
amazon-web-servicesaws-lambdaamazon-rdsamazon-vpc
When you say "DNS of database not found" are you talking about a theoretical problem or did your Lambda actually have an issue resolving the database's hostname? Note: a thorough example is documented in this tutorial.jarmod
@jarmod theoretical, found it as an issue on another answer. I already had the gateway attached, but I still checked that it was properly resolved, just in caseDominus
regarding the example, I already looked at it earlier, I'm pretty sure they are missing some steps since they don't discuss anything regarding security groups inbound rules. There was a more detailed guide by aws which I can't seem to find anymoreDominus

1 Answers

0
votes

Finally found the answer, the error was due to the fact that the RDS was on a public subnet which had an internet gateway. In this case, the solution is as follows:

  • Create a public NAT gateway (attached to a public subnet, with an elastic ip)

  • Create one (or more) private subnets in the same VPC

  • Create a route with the “Destination” as “0.0.0.0”, “Target” as the Internet Gateway, and save your settings. Associate this route with the public subnets

  • Create a route in this table with the “Destination” as “0.0.0.0”, “Target” as the NAT Gateway created previously, and save your settings. Associate this route with the private subnets

Finally, connect the lambda to the private subnet(s) only