By using AWS re:Post, you agree to the Terms of Use
/How to access a public RDS instance from lambda without compromising on the security of RDS by putting an inbound rule for RDS Sg with source as 0.0.0.0/0 ?/

How to access a public RDS instance from lambda without compromising on the security of RDS by putting an inbound rule for RDS Sg with source as 0.0.0.0/0 ?

0

I have a lambda that wants to call RDS from a different account. The RDS is a public instance but has security group rules configured to make it secure and not open it to access from anywhere. The lambda in no VPC-mode on the other hand, does not have any static IP address associated with it which can be configured in RDS's Sg inbound rules.

Neither the lambda in VPC which makes call through internet gateway has a static IP address which can be configured in RDS's SG rules.

On the other hand, for the VPC peering approach, the lambda does not have a private IP address and in this blog https://aws.amazon.com/premiumsupport/knowledge-center/rds-ip-address-issues/ , it says - When you try to connect to your DB instance from resources within the same VPC, your RDS endpoint automatically resolves to the private IP address. When you connect to your DB instance from either outside the VPC or the internet, the endpoint resolves to a public IP address.

How to make a call from lambda for a Public RDS without changing the SG's inbound source to 0.0.0.0/0 ?

1 Answers
2
Accepted Answer

I would recommend to keep the database private, attach the function to a VPC (I assume it can't be the same VPC as the DB), peer the two VPCs. Set the a small CIDR block for the subnet that Lambda attaches to, and set the SG to allow all the subnet.

An alternative would be to attach the function to a VPC and connect to the DB via a NAT Gateway that can have an EIP.

EXPERT
answered a month ago
  • The NAT gateway will route the traffic to internet through internet gateway right for calling RDS? How should RDS's inbound rule be configured, from what source? I tried putting inbound source for RDS as EIP of NAT Gateway from the other VPC, it didn't work

  • It should work. When you assign an EIP to a NAT Gateway, the outgoing traffic is sent from that EIP.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions