4

I am trying to access a Redshift database from a Lambda function. When I add 0.0.0.0/0 to the security group connections in the Redshift interface (as suggested by this article), I am able to connect successfully. From a security perspective, however, I don't feel comfortable using 0.0.0.0/0.

Is there a way to only allow Lambda to access Redshift without opening it up to the public internet?

I have tried adding the AWS IP ranges, however, this didn't work (as it only allows a limited number of security group connections).

p_mcp
  • 2,643
  • 8
  • 36
  • 75

2 Answers2

6

Enable VPC access for your Lambda function, and open the Redshift Security Group to the SG assigned to the Lambda function, just like you would open it to an EC2 server.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Ive tried to the best of my ability do all of what you said, I created a VPC + subnet, created a security group (with ALL TRAFFIC for inbound/outbound), setup the Lambda function with the VPC information, then create a VPC endpoint so that I could access S3 again which worked. But I still cant access Redshift, the connection times out.. Could you elaborate on what you mean by "open the Redshift Security Group to the SG assigned to the Lambda function" please? Ive not had any exposure to "opening it to an EC2 server". Thanks! – p_mcp Apr 28 '16 at 10:46
  • Is your Redshift server in the same VPC as the Lambda function? – Mark B Apr 28 '16 at 10:50
  • Hmm I'm going to say no as the Redshift database came first and Ive just created the VPC... is there a way to "move" (?) it to the same VPC? – p_mcp Apr 28 '16 at 10:55
  • 2
    How old is your AWS account? If it was created in the last few years then everything in your account is using VPC already so you didn't need to create a new VPC. You need to first make sure that the Lambda function is in the same VPC as the Redshift cluster. Then you need to go into the VPC settings and add an inbound rule for the security group assigned to the Redshift cluster. – Mark B Apr 28 '16 at 11:04
  • Afaik the Redshift cluster is outside the VPC. We just tried to launch a new Redshift cluster and the option for "Choose a VPC" is greyed out and we cannot select any, not quite sure whats going on or where to go from here – p_mcp Apr 28 '16 at 11:21
  • 1
    Go into the security section of the Redshift console and create some cluster subnets in the VPC. Then you should be able to launch Redshift in the VPC. – Mark B Apr 28 '16 at 12:49
  • I have the same issue but the solution doesn't work for me. Lambda and Redshift cluster are on the same VPC. Lambda's security group is added into the Redshift security group's inbound rule. Opening the redshift security group to public (0.0.0.0/0) makes it work. I have tried both private NAT, public subnets, even the same subnets used by redshift for my lambda funciton. – n.nasa Mar 08 '17 at 23:53
  • This didn't work for me. Refer http://stackoverflow.com/a/42684795/2410062 for someone stuck in similar situation as I was. – n.nasa Mar 09 '17 at 01:06
  • I had done everything recommended and it was increasing my lambda timeout that finally did it. The quick timeout made it look like it wasn't able to access the resource on previous tries but this time the function I was calling just needed more time than the 3 second default. – Mike Biglan MS Feb 01 '18 at 03:18
  • The role attached to the Lambda function should have AWSLambdaVPCAccessExecutionRole policy, maybe this http://www.kodyaz.com/aws/connect-amazon-redshift-database-with-aws-lambda-function-using-csharp-code.aspx can help, please check the last sections of the document. – Eralper Apr 24 '20 at 11:42
2

I was having the same problem and the answer wasn't helping. It would work with I added a 0.0.0.0/0 to my security group, but that is not something I could work with long term.

I ended up creating a new VPC with a public (10.0.1.0) and private(10.0.2.0) subnet and a NAT on the public subnet. Running the lambda function on the private subnet, but still not able to access the redshift db. Moved the Redshift db to the public (10.0.1.0) subnet. I put Redshift on that subnet because the load script runs externally and there is a security group that lets through my two work/home IPs on port 5439 and it also lets in the private 10.0.2.0/24 subnet where the lambda script is running.

That said it still wasn't working and it took a while to figure out that I couldn't use the full dns name to access Redshift. Even with a working NAT in place it still wasn't connecting to redshift. I tested this with two EC2 instances and a simple script to connect and run a query. This was faster than working in lambda just to solve the connectivity. This link on managing clusters and this one on cluster node ip solved the issue for me.

Solution: Go to the cluster and click on it. Down in the lower right corner of all the config information are the SSH ingestion settings and the private IP. I used that IP instead of the url an it solved all my connectivity issues. Seems basic now, but spent a lot of time searching and could not find the answer I was looking for.

Good Luck, Wood

William Wood Harter
  • 21
  • 3