Naim Uddin's Blog

Creating a Secure VPC Peering Connection for AWS Lambda to Access RDS

Naim Uddin's photo
Naim Uddin
·

4 min read

https://repost.aws/knowledge-center/connect-lambda-to-an-rds-instance

AWS Lambda and Amazon RDS are robust AWS services that can work together to build scalable and serverless applications. However, to ensure security and isolation, setting up a Virtual Private Cloud (VPC) and establishing a VPC peering connection is often necessary. This allows Lambda functions, running within a VPC, to access resources like RDS securely.

In this tutorial, we'll guide you through setting up a VPC and establishing VPC peering to enable your Lambda function to connect to an RDS instance.

Prerequisites

Before we start, make sure you have the following prerequisites:

  1. AWS Account: You should have an AWS account with sufficient permissions to create VPCs, subnets, Lambda functions, and RDS instances.

Step 1: Create a VPC

  1. Log in to your AWS Management Console.

  2. Navigate to the VPC Dashboard and click on "Create VPC."

  3. Choose VPC and more options for auto setup necessary stuff like NAT gateway, Internet gateway, Route tables, etc.

  4. Give your VPC name.

  5. Fill in the details for your VPC. You can use the following as a starting point:

    • IPv4 CIDR Block: 10.0.0.0/16 (or choose a suitable CIDR block for your needs).

    • IPv6 CIDR Block: (Optional - leave it blank if you don't need IPv6).

  6. Select tenancy as default.

  7. Create at least one public and one private subnet within your VPC. Distribute them across different availability zones or the same availability zone for fault tolerance.

  8. Select one NAT gateway In 1 AZ. Note: If you didn't select NAT gateway you will not be able to connect to the internet from your VPC because NAT gateway works as an IP translator.

  9. Select the VPC endpoint as none.

Step 2: Set Up Security Groups and Route Tables

  1. Create Security Groups for your Lambda function and RDS instance. Ensure that the Lambda function's security group allows outbound traffic to the RDS port (usually 5432 for PostgreSQL).

  2. Create appropriate Route Tables for your public and private subnets. Associate the public subnet route tables with a route to an Internet Gateway for public access.

Step 3: Create an RDS Instance

  1. Navigate to the RDS Dashboard.

  2. Click "Create Database" and follow the wizard to create an RDS instance of your choice (e.g., MySQL, PostgreSQL). Ensure that you select the VPC and subnets you created earlier.

  3. Make a note of the RDS endpoint and database credentials. You'll need them to configure your Lambda function later.

Step 4: Create an AWS Lambda Function

  1. Navigate to the AWS Lambda Dashboard.

  2. Click "Create function" and follow the wizard to create your Lambda function. Choose the VPC you created earlier in the "Network" section.

  3. Select a private subnet to host your lambda. Note: If you select a public subnet you will not be able to connect the internet to your lambda.

  4. Select a security group that enables outbound rules for the RDS port.

  5. In the "Function code" section, write your Lambda function code. Ensure that it's set up to connect to the RDS instance using the RDS endpoint and credentials.

Step 5: Set Up VPC Peering

https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html

  1. Go to the VPC Dashboard.

  2. Under "Peering Connections," click "Create Peering Connection."

  3. Choose "Another AWS account," and provide the AWS account ID of the VPC you want to peer with (your own account).

  4. Accept the peering request in the other VPC.

  5. Update the route tables in both VPCs to allow traffic to flow between them. Add a route in each route table for the other VPC's CIDR block and associate it with the peering connection.

Step 6: Create a Security Group for Lambda Function

  1. Navigate to the AWS RDS Dashboard.

  2. Select the RDS security group.

  3. Edit inbound rules.

  4. Added lambda VPC elastic IP address into the custom source and added DB port range.

Step 7: Test the Connection

  1. Deploy your Lambda function.

  2. Test the Lambda function to see if it can successfully connect to the RDS instance.

  3. Monitor your CloudWatch logs and RDS logs for any issues and troubleshoot as needed.

Congratulations! You've set up a secure VPC and established VPC peering to allow your AWS Lambda function to access an RDS instance. This architecture provides isolation, security, and control over your resources while still leveraging the power of serverless computing.

Remember to follow AWS best practices for security and access control to ensure your environment remains secure. You can also consider using IAM roles to grant permissions to your Lambda function to access RDS securely without hardcoding credentials.

Please note that this article provides a high-level overview of the process. Depending on your specific use case and requirements, you may need to make additional configurations and security adjustments. Always refer to AWS documentation and best practices for detailed guidance.

AWSvpclambdaAWS RDSSecuritysubnet