How do I troubleshoot connection timeout errors from Lambda when trying to access an Amazon RDS DB instance?

Last updated: 2021-04-19

My AWS Lambda function receives connection timeout errors when it tries to access an Amazon Relational Database Service (Amazon RDS) DB instance. How do I troubleshoot these errors?

Resolution

Troubleshoot intermittent and transient connection timeout errors

Capture the Lambda function's events and retry them as part of your function's error handling

For more information, see Error handling and automatic retries in AWS Lambda.

Check for DNS errors

Confirm whether there are any Domain Name System (DNS)-related errors. If there are DNS errors, catch them. Then, retry the DNS request using an exponential backoff. For more information, see Error retries and exponential backoff in AWS.

Note: Make sure that you're able to resolve the inbound and outbound endpoints before you retry the DNS request.

Troubleshoot consistent connection timeout errors

Check the Lambda function's Amazon CloudWatch Logs

If you haven't done so already, grant CloudWatch logging permissions to your Lambda function. Then, review your function's logs to identify specific connection timeout errors.

For more information, see Monitoring and troubleshooting Lambda applications.

Check the VPC configuration

For private databases, do either of the following, based on your use case:

Put your Lambda function in the same Amazon Virtual Private Cloud (Amazon VPC) as the database.

-or-

Create a VPC peering connection between the Amazon VPC that includes your function and the Amazon VPC that includes your database.

For public databases, do the following:

(For functions in an Amazon VPC) Route public traffic through a network address translation (NAT) gateway or NAT instance. For more information, see How do I give internet access to my Lambda function that's connected to an Amazon VPC?

Note: If the database is publicly accessible and there are no IP address-based restrictions on the database, then follow the instructions in Tutorial: Configuring a Lambda Function to Access Amazon RDS in an Amazon VPC.

Check the security group rules

For private databases, do the following:

Add an inbound rule to your DB security group that allows traffic from the CIDR range of the VPC's subnets or security group.

For public databases, do the following:

Add an inbound rule to your DB security group that allows traffic from the NAT gateway or NAT instance of the VPC.

Update the Lambda function handler

Update your Lambda function code so that the function opens the database connection outside of the function handler and doesn't close the connection.

Note: Because of the way that Lambda reuses containers, Lambda doesn't re-initialize the code that's outside of a function handler when the container is reused. It's a best practice to create the connection that you plan on reusing outside the handler so that it'sstill there on each following invocation. Make sure that you confirm that there's a valid connection before attempting to use the connection. If there's not a valid connection, then create a new connection before continuing.

Connect using an EC2 instance

As a test, launch an Amazon Elastic Compute Cloud (Amazon EC2) instance with the same Amazon VPC configuration as your Lambda function. Then, try connecting to the Amazon RDS DB instance from the EC2 instance.

If you can connect to the database, then follow the instructions in Troubleshoot networking issues in Lambda.

-or-

If you can't connect to the database, then follow the instructions in How do I resolve problems connecting to my Amazon RDS DB instance?

Use Amazon RDS Proxy

Create an Amazon Relational Database Service (Amazon RDS) Proxy endpoint for your RDS database to handle the database traffic from your Lambda function. For more information, see Using Amazon RDS Proxy with AWS Lambda.

Note: Amazon RDS Proxy support for MySQL and PostgreSQL is now generally available.