- Newest
- Most votes
- Most comments
Based on your question, I'd split this problem in two parts:
- Lambda being outside VPC, can't access Database: This is good and expected behavior too. I'd suggest you to follow this step-by-step guide How do I configure a Lambda function to connect to an RDS instance?
- Lambda function being inside VPC, can access the database but itcannot communicate responses back to the client - it throws the error. :
Change client = boto3.client('apigatewaymanagementapi',endpoint_url=os.environ['END_POINT']) to client = boto3.client('apigatewaymanagementapi', endpoint_url='https://{api-id}.execute-api.{region}.amazonaws.com/{stage}')
Follow Boto3 issue here for more details.
>>>EDIT<<<
Are you looking to connect to RDS that's inside VPC from lambda function, which is outside VPC, traffic won't go through this way as there is no direct endpoint, which could let lambda(outside VPC) connect to RDS(inside VPC). I understand why are you looking for that as other part APIGW doesn't work when you have your lambda function within VPC. To get RDS connectivity with Lambda, you should have Lambda function within VPC to communicate with RDS preferable both lambda and RDS in private subnet.
As long as APIGW connectivity to lambda within VPC is talked about, can you make sure of following:
Is your function in private subnet? Is NAT Gateway configured in a public subnet in that VPC? Do you have a routing table with 0.0.0.0/0 pointing to the NAT Gateway in that private subnet? When you bring your lambda function with VPC, I assume private subnet, can you make sure your private subnet has internet connectivity. From problem description, it seems that lambda function is accessible to APIGW as lambda fucntion anyway gets invoked via lambda service public endpoint but your lambda function may not have internet connectivity due to subnet misconfiguration.
Hope you find this helpful.
When your Lambda function is not attached to a VPC (the default), it has access to all public APIs (e.g., post_to_connection), but has no access to private resources in your VPC (e.g. RDS). When you attach the function to the VPC, it is the other way around. It has access to private resources (assuming the security groups and routing tables are configured correctly), but has no access to public APIs.
If you need both, you need to attach the function to the VPC and give it a way to talk with public APIs. To o that there are two options: 1. Configure a NAT Gateway in a public subnet, and route the internet traffic via the Gateway. 2. For supporting AWS services, use VPC Endpoints, which let you talk with those specific services. In your case, the API Gateway VPC endpoint should probably work.
Thanks for the pointers. The problem before was that the function was not on a private subnet. Now the configuration is fixed and I get a different error when trying to communicate with the client: Task timed out after 10.01 seconds - it seems that it is still a connectivity issue.
UPDATE: I had 4 extra subnets without endpoints. I just added endpoints for all of them them (half public via an IGW and half private via the same NATGW) and now it works! I am not sure if this was the issue. It seems off because the function was not connected to these subnets in any way. These were the default subnets in my default AWS VPC.
I’m sure it would work if your lambda function is on a private subnet with a route to a NAT gateway. Lambda can’t access outside via an IGW. It require a NAT gateway.
If so review I’d that’s secure enough for you or so you need to lock it down a little more by using endpoints instead.
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Yes, you can split this question into two different problems. I just wanted to give all the context.
Are you looking to connect to RDS that's inside VPC from lambda function, which is outside VPC, traffic won't go through this way as there is no direct endpoint .which would let lambda(outside VPC) connect to RDS(inside VPC). I understand why are you looking for that as other part APIGW doesn't work when you have your lambda function within VPC. To get RDS connectivity with Lambda, you should have Lambda function within VPC to communicate with RDS preferable both lambda and RDS in private subnet.
As long as APIGW connectivity to lambda within VPC is talked about, can you make sure of following:
Is your function in private subnet? Is NAT Gateway configured in a public subnet in that VPC? Do you have a routing table with 0.0.0.0/0 pointing to the NAT Gateway in that private subnet? When you bring your lambda function with VPC, I assume private subnet, can you make sure your private subnet has internet connectivity. From problem description, it seems that lambda function is accessible to APIGW as lambda fucntion anyway gets invoked via lambda service public endpoint but your lambda function may not have internet connectivity due to subnet misconfiguration.
I believe this would work if you follow the suggestions provided in edit section. I don’t see any reason of not working, if it’s setup this way(private subnet with NATGW).
Thanks for the pointers. I did have some issues in my configuration. Now the configuration is fixed and I get a different error when trying to communicate with the client: Task timed out after 10.01 seconds
In summary, these are the changes I implemented:
UPDATE: I had 4 extra subnets without endpoints. I just added endpoints for all of them them (half public via an IGW and half private via the same NATGW) and now it works! I am not sure if this was the issue. It seems off because the function was not connected to these subnets in any way. These were the default subnets in my default AWS VPC.
Glad that it worked out. That's exactly what I asked after having conversation with you here. Yes vpc endpoint would have helped for API gateway communication.