stackoom
  简体   繁体   中英

Unable to connect to Public RDS in VPC via Lambda

 原文  2021-05-03 07:17:07       amazon-web-services/ aws-lambda/ amazon-rds/ amazon-vpc/ aws-security-group

Question

There are couple of questions around this, but none seem to solve my specific problem.

So i have a publicly accessible RDS instance in a VPC with two Security Groups: one the default SG for VPC & other to allow incoming connections from our developer machines. I am able to successfully connect to this RDS via my developer machines(personal laptops/PCs) as a result of the 2nd Security group.

Now, when i try to connect to this RDS via a Lambda running in same VPC, it fails with this error: "java.net.UnknownHostException: ****.rds.amazonaws.com: Name or service not known "

My lambda is getting launched in the same VPC as RDS and i have chosen all the RDS VPC subnets for the lambda. It also is tied to the default VPC security group.

Below is my understanding(obviously not right as connection is not working), what am i missing here?

The Default VPC SG(security group) associated to the lambda has outgoing rules set as 0.0.0.0/0, hence it should allow lambda to access the whole world; so at least the RDS in VPC should be accessible.

The same default VPC SG should allow the RDS to accept incoming connections from any ip in the SG subnets(inbound rule mentions SG/default); hence lambda should be able to access it.

2 answers

solution1
 0  2021-05-03 08:25:57

The error message is indicating that it cannot resolve the DNS Name of the RDS database ( Name or service not known ).

I suspect that this is due to the fact that the RDS instance has been configured as publicly accessible , which gives it a public DNS Name and IP address.

An AWS Lambda function connected to a VPC will send all network traffic via the VPC. It does not have access to the Internet unless there is a NAT in the VPC and the Lambda function is connected to a Private Subnet. Thus, the connection attempts from the Lambda function are possibly attempting to resolve a Public DNS Name, but is failing to do so.

This could likely be resolved by changing the RDS instance to be Publicly Available = No . This not only makes it safer, but it means that the DNS Name will resolve to a Private IP address, which should work correctly with a Lambda function connected to the VPC.

Alternatively, you could configure the Lambda function to not be connected to the VPC. This gives it Internet access, so it will connect to the RDS database just like any other computer on the Internet.

solution2
 0  2021-05-04 05:02:05

So the problem was that in my developer machine, I was using the db instance endpoint, but in lambda i was using the cluster endpoint. They look similar, hence i was not able to catch it earlier. On fixing the lambda to use the instance endpoint, both lambda & developer machines can successfully connect to the RDS.

However, I am now curious why the cluster url is not accessible, but i will create another question for that.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question unable to connect to AWS RDS instance in default VPC from AWS Lambda How to connect AWS Lambda and RDS in VPC AWS Lambda potential alternatives to connect to RDS in VPC How to properly connect AWS Lambda to RDS in VPC? Cannot connect to RDS in another VPC via VPC peering Lambda in VPC access RDS Is it possible to connect AWS RDS Instance outside the VPC with Public Accessibility as No? how to connect a lambda function (behind an api gateway) to a private rds in a vpc Unable to connect to AWS Keyspaces from a Lambda in a VPC Unable to Connect to RDS via HaProxy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM