4

I have a Lambda function which can be triggered from an API gateway or ALB request. I also have an RDS Aurora PostgreSQL instance, both of which are running within a VPC.

I'm able to connect to the RDS instance from the Lambda just fine, however I can't access the internet, e.g. attempting to fire off a request to https://jsonplaceholder.typicode.com/todos/1 will cause a timeout.

I also can't connect to the remote database using a SQL client such as DBeaver.

Here's some detail below but let me know if you need anything else. I'm stumped.

Lambda Inbound Rules

Security group ID       Ports   Source
sg-0f2c4426c8fc85235    80      0.0.0.0/0
sg-0f2c4426c8fc85235    5432    0.0.0.0/0
sg-0f2c4426c8fc85235    All     sg-0f2c4426c8fc85235
sg-0f2c4426c8fc85235    22      0.0.0.0/0
sg-0f2c4426c8fc85235    443     0.0.0.0/0

Lambda Outbound Rules

Security group ID       Ports   Destination
sg-0f2c4426c8fc85235    All     0.0.0.0/0

RDS Connectivity

rds

VPC vpc

Public Subnet pubsub

Private Subnet prisub

EDITS

Nat Gateway (associated with public subnet) nat

Route Tables rtables

Route Table Routes rtablerouteA

rtablerouteB

rtablerouteC

EDIT 2

Lambda Subnets

lamsub

Craig
  • 337
  • 2
  • 10
  • can you also share the route table ? – Rafaf Tahsin Aug 22 '19 at 11:50
  • I hope you made a common mistake here, you should create NAT Gateway in public subnet and update the private subnet's route table. Often people create NAT Gateway in private subnet, which is actually a dead lock. - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html – Rafaf Tahsin Aug 22 '19 at 11:52
  • @RafafTahsin - Sorry, my mistake, the NAT is in the public subnet. I've edited the original post to add images for NAT and route tables. – Craig Aug 22 '19 at 12:24
  • Which subnet is the Lambda function attached to? – John Rotenstein Aug 22 '19 at 12:37
  • @JohnRotenstein It's in both the private and public subnets. I've edited the original post to show this (at the bottom) – Craig Aug 22 '19 at 12:45
  • 3
    @Craig The route table (rtb-0d15b06e1cff79515) associated with the private subnet doesn't have a route to NAT gateway. Also, the Lamba function should be in only the private subnet(s) if you want it to use the NAT gateway. Check out this link: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html – Abdullah Khawer Aug 22 '19 at 12:55

2 Answers2

8

The Lambda function should only be connected to a private subnet.

This enables Internet-bound traffic to be routed to the NAT Gateway in the public subnet.

If the Lambda function connects to the public subnet, it will be unable to reach the Internet.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Ah thanks John. I've removed the public subnet, as seen here: ![lam](https://i.imgur.com/TkrYY3B.png) Unfortunately I'm still receiving a timeout. Does it usually take a bit of time to propagate? – Craig Aug 22 '19 at 12:58
2

A mixture of two things I think. 1, as was pointed out, the Lambda should only be connected to private subnets.

I think I'd also mixed up the availability zones between the public and private subnets?

Anyway, the Lambda is now successfully connecting to RDS, hitting external APIs and I can also connect through DBeaver.

Thanks a lot.

Craig
  • 337
  • 2
  • 10