1

I have an RDS in one AWS Account - say Acct-1. The RDS is public (i know it's not a good idea and there are other solutions for that)

I have a lambda in another AWS Account - say Acct-2 which runs in a VPC.

I have setup VPC peering between the 2 accounts, the route table entries are in place as well as the security groups IN/OUT bound policies in place.

In Acct-2 I can verify that I can connect to the RDS instance in Acct-1 using a mysql cient from an EC2 instance. The EC2 instance is in the same subnet as the Lambda and they both have the same security group. But the Lambda gets a timeout connection. The Lambda has the typical Lambda execution role that Allows logs, and network interfaces.

Thoughts on what could be missing ? Does the RDS need to grant specific access to the Lambda service even if it's running in a VPC ?

Clarification: There is no route to the RDS instance from the internet. Clearly, the ec2 host is able to resolve the Private IP for the RDS instance from the DNS name and connect. Lambda is unable to resolve the private IP for the RDS instance. I'm trying to keep the traffic within AWS so as to not pay egress costs.

Mark B
  • 183,023
  • 24
  • 297
  • 295
Vasuvius
  • 49
  • 1
  • 5
  • Just a quick search, can you please going through this documentation - https://aws.amazon.com/premiumsupport/knowledge-center/connect-lambda-to-an-rds-instance/ – Jijo Alexander Mar 17 '22 at 19:19
  • @JijoAlexander - I went through that document. I have all the settings exactly as described. Except, AWS automatically changes 'Custom TCP' to 'MYSQL/Aurora' when it sees that the traffic is for 3306. An EC2 host in the same subnet and with same security group as the Lambda can access the DB. Some further clarifications on my setup in the original post. – Vasuvius Mar 17 '22 at 19:40
  • "Clarification: There is no route to the RDS instance from the internet." So your first paragraph stating the RDS is public is incorrect? – Mark B Mar 17 '22 at 19:41
  • The EC2 instance that works, does it have a public IP address? Also, from the EC2 instance, do a `ping` or `nslookup` or something to verify that the EC2 instance is resolving the RDS hostname to a **private IP** not a public IP. – Mark B Mar 17 '22 at 19:43
  • RDS has a public IP, but the security group for the RDS does not allow inbound from the internet (at the moment) - it only allows access from our VPN and from the security group for the EC2 host and the Lambda. EC2 instance resolved RDS dns name to RDS public IP. EC2 does have a public IP. – Vasuvius Mar 17 '22 at 20:03
  • The answer lies in one little tick box. I had forgotten to turn on DNS resolution in accepter VPC. The lambda could not resolve the Private IP of the DB. Strangely, the ec2 host could resolve IP for the DB given internet access but somehow routed the traffic through private ip. Not sure how that worked. – Vasuvius Mar 18 '22 at 13:36

0 Answers0