5

I have a Lambda function which can be triggered from an API gateway or ALB request. I also have an RDS Aurora PostgreSQL instance, both of which are running within a VPC.

I'm able to connect to the RDS instance from the Lambda just fine, however I can't access the internet, e.g. attempting to fire off a request to https://jsonplaceholder.typicode.com/todos/1 will cause a timeout.

I also can't connect to the remote database using a SQL client such as DBeaver.

Here's some detail below but let me know if you need anything else. I'm stumped.

Lambda Inbound Rules

Security group ID Ports Source sg-0f2c4426c8fc85235 80 0.0.0.0/0 sg-0f2c4426c8fc85235 5432 0.0.0.0/0 sg-0f2c4426c8fc85235 All sg-0f2c4426c8fc85235 sg-0f2c4426c8fc85235 22 0.0.0.0/0 sg-0f2c4426c8fc85235 443 0.0.0.0/0

Lambda Outbound Rules

Security group ID Ports Destination sg-0f2c4426c8fc85235 All 0.0.0.0/0

RDS Connectivity

rds

VPC vpc

Public Subnet pubsub

Private Subnet prisub

EDITS

Nat Gateway (associated with public subnet) nat

Route Tables rtables

Route Table Routes rtablerouteA

rtablerouteB

rtablerouteC

EDIT 2

Lambda Subnets

lamsub

Improve this question
6
  • can you also share the route table ? Commented Aug 22, 2019 at 11:50
  • I hope you made a common mistake here, you should create NAT Gateway in public subnet and update the private subnet's route table. Often people create NAT Gateway in private subnet, which is actually a dead lock. - docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html Commented Aug 22, 2019 at 11:52
  • @RafafTahsin - Sorry, my mistake, the NAT is in the public subnet. I've edited the original post to add images for NAT and route tables. Commented Aug 22, 2019 at 12:24
  • Which subnet is the Lambda function attached to? Commented Aug 22, 2019 at 12:37
  • 3
    @Craig The route table (rtb-0d15b06e1cff79515) associated with the private subnet doesn't have a route to NAT gateway. Also, the Lamba function should be in only the private subnet(s) if you want it to use the NAT gateway. Check out this link: docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html Commented Aug 22, 2019 at 12:55

2 Answers 2

Reset to default
9

The Lambda function should only be connected to a private subnet.

This enables Internet-bound traffic to be routed to the NAT Gateway in the public subnet.

If the Lambda function connects to the public subnet, it will be unable to reach the Internet.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Ah thanks John. I've removed the public subnet, as seen here: !lam Unfortunately I'm still receiving a timeout. Does it usually take a bit of time to propagate?
2

A mixture of two things I think. 1, as was pointed out, the Lambda should only be connected to private subnets.

I think I'd also mixed up the availability zones between the public and private subnets?

Anyway, the Lambda is now successfully connecting to RDS, hitting external APIs and I can also connect through DBeaver.

Thanks a lot.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.