Reputation: 2274
Lambda function times out trying to connect to RDS if in VPC, but doesn't if outside VPC
I have a single AWS lambda function that connects to a single AWS RDS Postgres db and simply returns a json list of all records in the db.
If I don't assign a VPC to the lambda function, it is able to access the AWS RDS db. However, if I assign a VPC to the lambda function it can no longer access the db.
The VPC is the same for both the lambda function and the RDS db. I've also opened all traffic on port 0.0.0.0/0 for inbound and outbound connections temporarily to find the issue, but I am still unable to connect.
I believe it might be a role permission related to VPC for the lambda function, but I've already assigned the policy AmazonVPCFullAccess to the lambda role.
Upvotes: 1
Views: 312
Answers (1)
Reputation: 1902
The fact that the lambda can access the DB when not in a VPC is a bit troubling in the sense that the DB is then probably public.
A common mistake that often happens is that lambda is deployed to a public subnet. Lambda's only get assigned private IP addresses in a VPC. When deployed to a public subnets, it's only route to the internet is the internet gateway. That doesn't really work well if the lambda itself has a private ip address (the internet couldn't route traffic back to you :P).
One part of the solution is to make sure your lambda is deployed to a private subnet instead with a route to a NAT gateway if it needs access to public resources.
However, the better part of the solution is actually put the database in the private subnet WITHOUT a public IP adresss.
Because I've seen many mistakes with this with my customers, and because it can't be stressed enough: I'd strongly suggest you follow a three-tier networking model with your VPC's. This basically means:
- Don't use the default VPC. Create your own.
- Create 9 subnets:
- 3 public
- 3 private. Put your private lambda's here.
- 3 isolated. Put your database here.
There are lot's of articles / templates available that do this for you. A quick google search gives me
- https://github.com/aws-samples/vpc-multi-tier
- https://www.wellarchitectedlabs.com/reliability/100_labs/100_deploy_cloudformation/1_deploy_vpc/
Upvotes: 1
Related Questions
- Lambda in VPC access RDS
- Why does my Lambda function timeout connecting to SES VPC Endpoint?
- Accessing RDS from Lambda
- Troubleshooting Lambda to RDS connection with VPC peering
- Unable to connect to Public RDS in VPC via Lambda
- How to properly connect AWS Lambda to RDS in VPC?
- Access RDS from VPC Lambda
- AWS Lambda access to RDS outside VPC
- 'no vpc' AWS Lambda accessing RDS in VPC
- AWS Lambda - Unable to connect to SQL Server RDS in VPC