Network ACL block connection within private subnet
Hi everyone
I created a VPC and a private subnet. Inside the private subnet, I had 1 lambda function and 1 rds instance. After adding lambda-sg to rds-sg, the lambda function can connect to rds. But when I remove all allow rules in network acl (both inbound and outbound) of the private subnet, lambda can not connect to rds anymore. I read that network acl does not affect traffic within the subnet then why did that happen? Can you guys explain that to me?
Thanks
- Newest
- Most votes
- Most comments
Are Lambda and RDS subnets different?
If different, it is evaluated by the network ACL and is blocked.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-basics
We evaluate the network ACL rules when traffic enters and leaves the subnet, not as it is routed within a subnet.
So, as an expectation, it is possible that some of the subnets configured in the RDS subnet group may not match the subnets running Lambda.
Please note that while you are using a Lambda function with an interface endpoint, your function is not running within your subnet. The ENI is a private pathway to the backend of service and the traffic will get out of the subnet and hence subjected to NACL rules.
You need to add Lambda ephemeral ports(look for Ephemeral ports) to your NACL in order to facilitate this traffic.
Interface Type | Description | Instance ID | Status lambda | AWS Lambda VPC ENI-createFileUpload-57197d84-7eee-4d1b-bfd1-5e08d4ebc398 | – | In-use Did you mean this ?
Yes, this ENI sends the data back and forth between your private subnet and AWS Lambda service backend. This traffic is not public and it is guaranteed by PrivateLink. You can refer to this documentation to get to know more about PrivateLink : https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html
Relevant content
- asked 10 days ago
- asked 9 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
Lambda and RDS are in the same private subnet. I try both RDS Endpoint and Private IP, none of them work Here is the code in lambda function
import pkg from 'pg'; const {Client} = pkg;
export const handler = async(event, context) => { console.log("Event -->",JSON.stringify(event)); context.callbackWaitsForEmptyEventLoop = false; const client = new Client({ user: 'postgres', host: "Private IP", database: 'demo', password: 'password', port: 5432 }); try { await client.connect(); const res = await client.query('SELECT $1::text as message', [ 'Hello world!', ]); console.log(res.rows[0].message); // Hello world! await client.end(); } catch (err) { console.log('error while trying to connect to db'); } };
Does this mean that there are two subnets on which Lambda is running? In that case, is there any possibility of access to RDS from a different subnet? In other words, I feel the following image is occurring. Could it be possible that the timeout is communicating from the Lambda ENI to the RDS subnet (different subnet)?
VPC: 100.0.0.0/24 Subnet 1c: 100.0.0.144/28 Subnet 1a: 100.0.0.128/28 RDS Publicly accessible: No My RDS required 2 different subnets ( 4 in total - 2 public and 2 private). Lambda function VPC configuration I edit in order is 1st subnet, 2nd subnet, both subnet but no luck
Access from Subnet 1c to Subnet 1a will fail if all connections are blocked by the network ACL. In other words, edit the network ACL as follows.
Subnet 1c inbound
Subnet 1c outbound
Subnet 1a inbound
Subnet 1a outbound
Hi @Riku_Kobayashi If RDS is in a single zone (free tier), is NACL still configured as above?