Create an AWS RDS instance without NAT Gateway using CDK

Question

Is it possible to create a serverless RDS cluster via CDK without NAT Gateway? The NAT Gateway base charge is pretty expensive for a development environment. I'm also not interested in setting up a NAT instance. I'm attaching a Lambda in the VPC with the RDS instance like this.

    // VPC
    const vpc = new ec2.Vpc(this, 'MyVPC');

    // RDS
    const dbCluster = new rds.ServerlessCluster(this, 'MyAuroraCluster', {
      engine: rds.DatabaseClusterEngine.AURORA_MYSQL,
      defaultDatabaseName: 'DbName',
      vpc,
    });

Answer 1

Yes, you can. You may have to add some VPC endpoints like Secrets Manager so password rotation can be done, but it is possible. You will need to create a VPC with subnets that have no NAT gateway too.

// VPC
const vpc = new ec2.Vpc(this, 'MyVPC', {
  natGateways: 0,
  subnetConfiguration: [
    {
      cidrMask: 24,
      name: 'public',
      subnetType: ec2.SubnetType.PUBLIC,
    },
    {
      cidrMask: 28,
      name: 'rds',
      subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
    }
  ]
});
// RDS
const dbCluster = new rds.ServerlessCluster(this, 'MyAuroraCluster', {
  engine: rds.DatabaseClusterEngine.AURORA_MYSQL,
  defaultDatabaseName: 'DbName',
  vpcSubnets: {
    subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
  },
  vpc,
});

If you want Secrets Manager controlled password, use:

vpc.addInterfaceEndpoint('SecretsManagerEndpoint', {
  service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
});
dbCluster.addRotationSingleUser();

EDIT NOTE: At some point, the CDK Enums were updated from PRIVATE to PRIVATE_ISOLATED

Answer 2

Serverless clusters cannot be placed into a public subnet.

This is a hard and documented limitation of RDS Serverless.