How to access a public RDS instance from lambda without compromising on the security of RDS by putting an inbound rule for RDS Sg with source as 0.0.0.0/0 ?

0

I have a lambda that wants to call RDS from a different account. The RDS is a public instance but has security group rules configured to make it secure and not open it to access from anywhere. The lambda in no VPC-mode on the other hand, does not have any static IP address associated with it which can be configured in RDS's Sg inbound rules.

Neither the lambda in VPC which makes call through internet gateway has a static IP address which can be configured in RDS's SG rules.

On the other hand, for the VPC peering approach, the lambda does not have a private IP address and in this blog https://aws.amazon.com/premiumsupport/knowledge-center/rds-ip-address-issues/ , it says - When you try to connect to your DB instance from resources within the same VPC, your RDS endpoint automatically resolves to the private IP address. When you connect to your DB instance from either outside the VPC or the internet, the endpoint resolves to a public IP address.

How to make a call from lambda for a Public RDS without changing the SG's inbound source to 0.0.0.0/0 ?

2개 답변
2
수락된 답변

I would recommend to keep the database private, attach the function to a VPC (I assume it can't be the same VPC as the DB), peer the two VPCs. Set the a small CIDR block for the subnet that Lambda attaches to, and set the SG to allow all the subnet.

An alternative would be to attach the function to a VPC and connect to the DB via a NAT Gateway that can have an EIP.

profile pictureAWS
전문가
Uri
답변함 2년 전
  • The NAT gateway will route the traffic to internet through internet gateway right for calling RDS? How should RDS's inbound rule be configured, from what source? I tried putting inbound source for RDS as EIP of NAT Gateway from the other VPC, it didn't work

  • It should work. When you assign an EIP to a NAT Gateway, the outgoing traffic is sent from that EIP.

0

There is another way to do that ? I've tried attaching my lambda to a VPC , but didn't work.

답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인