How to access a public RDS instance from lambda without compromising on the security of RDS by putting an inbound rule for RDS Sg with source as 0.0.0.0/0 ?

Question

I have a lambda that wants to call RDS from a different account. The RDS is a public instance but has security group rules configured to make it secure and not open it to access from anywhere. The lambda in no VPC-mode on the other hand, does not have any static IP address associated with it which can be configured in RDS's Sg inbound rules.

**Neither** the lambda in VPC which makes call through internet gateway has a static IP address which can be configured in RDS's SG rules.

On the other hand, for the VPC peering approach, the lambda does not have a private IP address and in this blog https://aws.amazon.com/premiumsupport/knowledge-center/rds-ip-address-issues/ , it says -  When you try to connect to your DB instance from resources within the same VPC, your RDS endpoint automatically resolves to the private IP address. When you connect to your DB instance from either outside the VPC or the internet, the endpoint resolves to a public IP address.

How to make a call from lambda for a Public RDS without changing the SG's inbound source to 0.0.0.0/0 ?

Accepted Answer

I would recommend to keep the database private, attach the function to a VPC (I assume it can't be the same VPC as the DB), peer the two VPCs. Set the a small CIDR block for the subnet that Lambda attaches to, and set the SG to allow all the subnet.

An alternative would be to attach the function to a VPC and connect to the DB via a NAT Gateway that can have an EIP.

Answer

There is another way to do that ? I've tried attaching my lambda to a VPC , but didn't work.

How to access a public RDS instance from lambda without compromising on the security of RDS by putting an inbound rule for RDS Sg with source as 0.0.0.0/0 ?

관련 콘텐츠