Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Connecting your Lambda Function to a Private Database

If you want your Lambda function to interact with resources (e.g., RDS database, EC2 instance) inside a private subnet, you won’t be able to do so by default. The reason for this is that Lambda functions live in an isolated and secured VPC managed by AWS. This is why when you create a Lambda function, you don’t go through any networking configurations (VPC, subnet, ENIs), unlike when creating EC2 instances. Also, you cannot establish a VPC peering connection between the VPC where Lambda functions are run and the VPC where your private resources are located because the former is not accessible to customers.

Connecting your Lambda Function to a Private Database

AWS uses an internal service called AWS Hyperplane, which serves as a NAT service, connecting Lambda functions to the ENIs in your VPC.

In this article, I’ll walk you through the process of connecting your Lambda function to a private RDS database instance. This post assumes that you already have your database ready.

STEP -1 Update your Lambda function’s execution role

  1. In the Lambda Console, under the Configuration tab, select Permissions, then click your function’s role name. This will redirect you to the IAM console.

Connecting your Lambda Function to a Private Database

      2. On Permissions, click Add permissions > Attach policies

Connecting your Lambda Function to a Private Database

        3. Search for the AWSLambdaVPCAccessExecutionRole managed policy and attach it to the IAM role.

Connecting your Lambda Function to a Private Database

STEP -2 Connect the Lambda function to a VPC

  1. In the Lambda Console, under the Configuration tab, select VPC, then click the Edit button.

Connecting your Lambda Function to a Private Database

       2. Select the VPC where your RDS instance is located.

Tutorials dojo strip

       3. Select one or more subnets in the VPC. Ideally, these subnets should be the same as the ones your RDS instance is using or at least have routes to them.

       4. Select a security group that allows traffic between your Lambda function and the RDS instance. You may need to create a new security group or modify an existing one to allow traffic on the correct ports (e.g., port 3306 for MySQL, port 5432 for PostgreSQL).

Connecting your Lambda Function to a Private Database

Lambda functions don’t listen to any inbound traffic, so it’s fine if you don’t set any inbound rules in the Lambda function’s security group. Nonetheless, ensure that the security group permits outbound traffic to the resources your function intends to access. As shown in the screenshot, the same security group is being utilized for both the Lambda function and the RDS database instance.

 

STEP -3 Update the security group of your database

  1. Add an inbound rule to your RDS DB instance’s security group with the following settings:
    • Choose the appropriate type based on your database engine (e.g., “MySQL” for MySQL on port 3306, “PostgreSQL” for PostgreSQL on port 5432, etc.)
    • Port Range: This will be pre-filled based on the selected Type
    • Source: Select “Custom” and enter the security group ID of the security group associated with the Lambda function.

Connecting your Lambda Function to a Private Database

Once connected, your Lambda function will lose internet access. This happens due to the fact that AWS Lambda only assigns private IP addresses to ENIs that it creates. Even if your function is connected to a public subnet, your VPC’s internet gateway will still be unable to route traffic between the internet and your function.

To give your Lambda function internet access, you can create a NAT Gateway in the public subnet of your VPC and add an entry to the private subnet’s (the subnet/s connected to your Lambda function) route table.  Set the destination to 0.0.0.0/0 and the NAT Gateway as the target to allow outbound traffic from the private subnet to the internet.

Connecting your Lambda Function to a Private Database

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Carlo Acebedo

Carlo is a cloud engineer and a content creator at Tutorials Dojo. He's also a member of the AWS Community builder and holds 5 AWS Certifications. Carlo specializes in building and automating solutions in the Amazon Web Services Cloud.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?