What is the meaning of inbound source of default RDS security group?

Question

When I create an RDS, it seems to have an inbound source by default.

For example, like port: 5432, IP: 221.142.31.25/32.

As I understand, It means that the security group allows requests from the IP range(221.142.31.25/32) to access the port(5432).

Somehow It seems to allow my local to access the RDS as well without any additional inbound source representing my local.

In contrast to my local, when I try to have access to the RDS from Lambda, I have had to add inbound source 0.0.0.0/0, otherwise, the Lambda has returned timeout error.

My question is...

1. What does the IP range(221.142.31.25/32) mean?
2. How it allows my local to access the RDS?
3. Why it denies Lambda but my local?

Answer 1

RDS creates a default inbound source that allows only your IP address. port: 5432, IP: 221.142.31.25/32 is your public IP address (the IP address your requests appear to RDS as).

Answer 2

The better architecture would be:

• Configure the AWS Lambda function to connect to the VPC
• The Lambda function uses the DNS Name of the Amazon RDS instance, which will resolve to a local IP address within the VPC
• Add the CIDR range of the VPC (eg 192.168.0.0/16 or whatever it is) to the Security Group associated with the Amazon RDS instance. This will permit access from any resource within the VPC.
• It appears that you already have an inbound rule on the security group permitting access from your laptop, which seems to have an IP address of 221.142.31.25. Thus, the CIDR range would be 221.142.31.25/32.

The result will be that Lambda talks directly with RDS within the VPC, while your laptop comes in via the Internet.

Answer 3

First Question: 221.142.31.25/32 is the CIDR Notation and it means only one IP i.e.: 221.142.31.25

Remember IPv4 is built of 4, 8 bits and gives you total of 32bits MAX. you can use the following formula: if you have x.x.x.y/N you will have 2 ^ (32 - N) IP address starting from y to Y + (2 ^ (32-N) - 1)

i.e. for 221.142.31.25/32 we have 2 ^ (32-32) = 2 ^ 0 = 1 means one IP

for 221.142.31.25/31 will be 2 ^(32-31) = 2 ^ 1 = 2 means (221.132.31.25 & 221.132.31.26)

for 221.142.31.25/30 will be 2^ (32-30) = 2 ^ 2 = 4 means (221.132.31.25 & 221.132.31.26 & 221.132.31.27 & 221.132.31.27)

SG: 221.142.31.25/32 means that that RDS instance which is listening to port 5432 is white-listed to be accessible only from one IP 221.142.31.25.

Second Question: Could you please describe more what do you mean by Local Access ? Do you have a Private Subnet in your VPC that you want to access the RDS from ?

Third Question: Because it seems to me that your Lambda is on the Internet and Lambda's upon run could have any Arbitrary Public IPs (of course with a registered Amazon Company range). As far as I know Lambdas can not have a Fixed IP but you can place them within fix internal Ip ranges in design.The only way to address this is to define a Specific Internal Subnet in your VPC say like 192.168.1.1/24 (which ranges from 192.168.1.1 to 192.168.1.256) then place your RDS on that VPC with SG (192.168.1.1/24) and Assign your lambda within the same VPC as well.