Lambda cannot connect to Customer Site MSSQL DB via Site-to-Site VPN


I need to communicate with a MSSQL DB which in the remote clients to retrieve data and save in my redshift table via lambda. I made the following setup. but still, I cannot communicate with the Client's DB via VPN, and it says below. (as an example, let's say my destination IP is DesIP). Both tunnels in VPN is also up.

'Failed to connect to SQL Server'

Router table with following destinations attached to the VPC

  • Destination - DesIP/32 and Target for this is Virtual Private Gateway
  • Destination - and Target for this is Virtual Private Gateway
  • And router propagation is enabled.

**Subnet **is also attached to the correct router table with correct DesIP and VGW.

VGW is connected to Customer gateway with the correct customer end IP address.

Site-to-Site VPN is up both tunnels and connected to VGW.

ACL inbound and outbound rules are setup to allow traffic from **Type **MS SQL (1433 ) **Protocol ** TCP (6) Port range 1433 Security Group did the same thing in the security group also. added **Type **MS SQL (1433 ) **Protocol ** TCP (6) Port range 1433

Appreciate if somebody can help me with this. Pasting below the resource map of my VPC. in the map I can't see VGW attached to it. is that a problem or it is normal?

Enter image description here

3 Answers

For troubleshooting: What happens if you create an EC2 instance on the same subnet as the Lambda function is using? It's much easier to troubleshoot connectivity issues from an interactive console of some sort.

I would also (at least temporarily) remove the NACLs - they are often the cause of much time being used in troubleshooting. Only add them back in if they are necessary and once the connection is up and running. Also consider relaxing the security group rules for the same reason.

You should also check to see if there is anything else on the customer's network that you can test connectivity with. A common problem here is that the remote VPN/firewall device has NAT enabled for traffic over the VPN connection which causes things to fail.

profile pictureAWS
answered 23 days ago

Since you mentioned you are using VGW and both tunnels are UP, make sure you don't have asymmetric routing issue, asymmetric routing is where traffic from on-prem to AWS is using one tunnel, but the return traffic is using the other tunnel. To check if you have asymmetric routing issue check CloudWatch TunnelDataIn and TunnelDataOut metrics, both of those two must have traffic for the same tunnel, if you see TunnelDataIn on tunnel 1 and TunnelDataOut on tunnel 2, then this is asymmetric routing and traffic will be dropped (most likely), both TunnelDataIn and TunnelDataOut must be for the same tunnel.

To quickly see if you're having asymmetric routing, disable one of the tunnels and then test the connectivity, if it starts working them this is asymmetric routing.

Below are some guides on how to troubleshoot VPN connection issues.

profile pictureAWS
answered 23 days ago

You don’t mention how your lambda is configured. Have you configured the VPC part of your lambda function to connect to your VPC?

Have you configured the security group on your lambda function with the correct outbound rules?

profile picture
answered 22 days ago
  • Hi Gary...Yes. I have attached to the correct VPC and selected the right Subnet and Security group in lambda.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions