-1

My setup is:

S3 (website) -> API Gateway -> Lambda -> RDS 
                                      -> S3 (configuration)
                                      -> Shopify
                                      -> Transactional Mail

I have an Internet Gateway set up to allow access to my S3 configurations and I need to hook up a NAT to allow me to make my calls out to 3rd parties. I've attempted to only use the NAT (per this question) by changing my Routing Table entry for 0.0.0.0/0 -> {my NAT}, but that just results in not being able to access my S3 configuration bucket.

Any help would be greatly appreciated!

Edit: To be clear I've read the documentation, what I'm having issues understanding is the relationships between the Security Group my Lambdas and RDS share, and the Subnets they're associated with.

When I configure my lambda to be part of the security group my RDS instances is in, I need to associate it with at least 2 subnets... Should those be new subnets, and not the ones associated with my RDS instances? AKA does a lambda need to share a subnet with an RDS in order to access it?

Mark B
  • 183,023
  • 24
  • 297
  • 295
Mark Cooper
  • 406
  • 3
  • 13
  • FWIW: It turns out that following the given examples just plain doesn't work. I don't know if it's the region I'm in, but had some folks far better versed in VPC's take a look at this and they also couldn't get it to work properly. – Mark Cooper Nov 06 '17 at 20:35

1 Answers1

1

If the Lambda function only needs to access VPC resources and S3, then the easiest way to configure this is to add an S3 Endpoint to your VPC. If your Lambda function needs to access VPC resources plus other resources besides S3 and DynamoDB (the only 2 services that currently support VPC endpoints) then your Lambda function has to be in a private subnet with a NAT Gateway.

Instances in a public subnet have the option of having a public IP address, but it isn't a requirement. Lambda functions in a VPC do not ever get public IP addresses, which is why Lambda functions inside a VPC have to be in a private subnet with NAT gateway in order to have Internet access.

The only time Lambda functions get a public IP is when they are not in a VPC at all. In that instance they can access anything except resources in your VPC.

A note about your "same security group" comment: Being in the same security group does not allow resources to access each other. The Lambda function needs to be in a security group that the RDS security group has granted access to. Regarding subnets, the Lambda simply needs to be in any subnet in the same VPC, it does not need to be in the same subnet as the RDS instance.

Mark B
  • 183,023
  • 24
  • 297
  • 295