-1

I'm wanting to establish connectivity to an RDS instance from some Lambda functions. Lambda functions are autodeployed with serverless framework, so ideally my config would be dynamic. I am currently managing infrastructure with CDK, and have the following resources:


 1. RDS on Private Isolated subnet in VPC A, managed by CDK
 2. EC2 instance on public subnet in VPC A, managed by CDK (For access to the RDS from the wider internet)
 3. (Backend) 4 Lambdas without a VPC, behind an API Gateway in default VPC, managed by serverless deploy
 4. Frontend hosted on S3 behind Cloudfront, managed by serverless deploy

I can deploy the lambdas to VPC A to either the private isolated or public subnets.

Additional constraints: Lambdas require outbound connectivity, but should be protected from inbound internet requests from public internet.

I'm a bit stumped because I don't want to update my CDK script whenever the lambdas change. Help is much appreciated.

Manav D
  • 1

1 Answers1

1

Your lambda functions need to be in the same VPC as the database, specifically in a private subnet.

You would then adjust the security group rules to allow connectivity from the functions to the DB using something like myFynction.connections.allowToDefaultPort(myDatabaseInstance);

The VPC needs to have a NAT gateway for the lambda functions to be able to access the internet. To clarify - the functions cannot be in an isolated subnet, because isolated subnets don't have Internet connectivity. Placing the functions in a public subnet will not work either - refer to this for an explanation.

Relevant documentation: https://aws.amazon.com/premiumsupport/knowledge-center/connect-lambda-to-an-rds-instance/

gshpychka
  • 8,523
  • 1
  • 11
  • 31