1

I have an Aurora MySql cluster that was made public so I could connect to it from my local workstation. I created an aspnetcore project that can connect to the database, query and return the results to me if I run the lambda locally in VS Code.

When I deploy the Lambda into AWS (uploading a published .zip) the lambda executes APIs (via API Gateway) that don't interact with the database just fine. As soon as I hit an API that attempts to connect to Aurora, it times out and fails.

The Lambda and RDS are in the same VPC, and within the same subnets. I've tried with the RDS being both public and private, neither work. My Lambda has an IAM role assigned to it that grants it full RDS access and Full VPC Access. What additional would a lambda need in order to hit Aurora?

I've also tried running the Lambda within the same VPC/Subnets, and without any VPC. When I run it without a VPC attached, I get back the entire stacktrace in Cloudwatch saying it timed out trying to connect. When I run the Lambda within the VPC/Subnets, I don't get any of the log messages from the Lambda written to CloudWatch.

Edit to show Security Group setup

Aurora MySql RDS

enter image description here

Lambda

enter image description here

Security Group

enter image description here

Johnathon Sullinger
  • 7,097
  • 5
  • 37
  • 102
  • Can you share screenshots that confirm that your Lambda actually applied the same security group? Also, you don't need to associate RDSFullAccess to your execution role, that IAM just gives you permissions to do management APIs on RDS (like create a cluster, delete a cluster etc). It does not have anything to do with actually accessing the database endpoint. – The-Big-K Oct 31 '18 at 23:57
  • Hi Johnathan, have you ever resolved this issue? I am currently facing the same problem. The SecurityGroups are facing each other, the Lambda execution role has the rights to create ENIs, but I am still always getting a connection timeout. Looking forward to hear from you. – Demli95 Sep 10 '21 at 11:06

2 Answers2

0

Inside a VPC, the the RDS instance's security group needs to have a rule allowing inbound access to TCP port 3306 for the security group associated with the Lambda function, or for all of the subnets the Lambda function is associated with.

Outside a VPC, the RDS instance needs to allow access from 0.0.0.0/0... or, at least, all the public IPs associated with all of EC2 for the entire region (which is several million addresses) because Lambda functions outside a VPC get their IP addresses dynamically from the regional EC2 pool -- so that is best avoided.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
0

Do you have enough free/available IPs in your VPC for your lambda?

I posted one answer for a possible reason to this situation as you mentioned there are no logs when lambda is in VPC

Please see my answer here on another StackOverflow question

raevilman
  • 3,169
  • 2
  • 17
  • 29
  • Yeah I have enough IPs, I’ve only got 2 EC2s and a single RDS. – Johnathon Sullinger May 14 '18 at 15:53
  • I created a new EC2 running Linux and was able to establish a connection to the RDS. The EC2 is in the same VPC and has an IAM role with RDS Full Access, just like the Lambda does. I can connect and query the DB from the EC2, but the Lambda continues to timeout on connection. – Johnathon Sullinger May 14 '18 at 19:06