Access RDS from VPC Lambda

Question

Is it possible to access a publicly available RDS instance from a Lambda expression in the same VPC, without using a NAT? Could you please point me in the right direction to confugure this? Thanks.

RDS and Lambda have the same VPC, the same Subnets, the same Security group. The security group has 2 inbound rules:

All Type - All Protocol - All Port Range - Source ALB security group
All Type - All Protocol - All Port Range - Source security group itself

Is that correct?

Could you open VPC, then `Edit DNS hostnames` => enable `DNS hostnames ` — TonyVo, Nov 27 '19 at 09:11
I have just test. RDS and Lambda same VPC (Private) => its able to connect to RDS endpoint. Please check SG of RDS — TonyVo, Nov 27 '19 at 09:43
Thanks for your time @TuanVA, I've edited my question, I'm surely doing something wrong with security group, may you help me? — Jumpa, Nov 27 '19 at 09:52

score 1 · Answer 1 · answered Nov 28 '19 at 04:09

The recommended configuration is:

Create a Security Group for the AWS Lambda function (Lambda-SG). It does not require any inbound rules.
Create a Security Group for the Amazon RDS db instance (DB-SG). It should allow an Inbound connection on the appropriate port (3306?) from Lambda-SG.

That is, DB-SG should specifically reference Lambda-SG as the source of the inbound connection.

score 0 · Accepted Answer · answered Nov 27 '19 at 10:17

Turns out that the Lambda was timing out RDS connection, due to callback deadlock like explained here: https://stackoverflow.com/a/42619071/2373113 Other thing to notice is that traffic inside the same security group must be explicitly enabled in rules.

Access RDS from VPC Lambda

2 Answers2