How do I configure a Lambda function to connect to an RDS instance?

Last updated: 2021-01-05

I want my AWS Lambda function to connect to a relational database service (RDS) instance. How can I configure the network settings to do that?

Short description

To connect a Lambda function to an RDS instance, the networking configurations on each must be set to allow the connection.

There are different configuration settings for each of the following connection types:

  • A Lambda function and RDS instance in the same virtual private cloud (VPC)
  • A Lambda function and RDS instance in different VPCs
  • A Lambda function and public RDS instance

For information on how to configure a Lambda function's network settings, see Configuring VPC access with the Lambda console. To connect a Lambda function to an Aurora DB cluster, use the Data API for Aurora Serverless.

Note: If the network settings are incorrect, then the Lambda function will time out and display a Task timed out error message.

Resolution

Important: Make sure that you change each Port Range, Source, and Destination setting provided in the following examples to match your own network configurations. Transmission Control Protocol (TCP) is the required protocol for each type of network configuration.

A Lambda function and RDS instance in the same VPC

Use the following networking configurations when connecting a Lambda function to an RDS instance in the same VPC.

Note: All subnets within a VPC contain a local route by default. The destination is the VPC's Classless Inter-Domain Routing (CIDR) and the target is local. For more information, see Route tables.

1.    For Security Groups, use one of the following network settings:

For instances attached to the same security group—make the security group the source for the inbound rule and the destination for the outbound rule.

For example, if the Lambda function and RDS instance are both in security group sg-abcd1234, each instance would have the following inbound and outbound rules.

Example inbound rule for instances attached to the same security group

Type Protocol Port Range Source
Custom TCP TCP 3306 sg-abcd1234

Example outbound rule for instances attached to the same security group

Type Protocol Port Range Destination
Custom TCP TCP 3306 sg-abcd1234

-or-

For instances in different security groups—make sure that both security groups allow access to one another.

For example, if the Lambda function is in security group sg-1234 and the RDS instance is in sg-abcd, each group would have the following rules:

Example outbound rule for a Lambda function in a different security group than the RDS instance you want to connect it to

Type Protocol Port Range Destination
Custom TCP TCP 3306 sg-abcd

Example inbound rule for an RDS instance in a different security group than the Lambda function you want to connect it to

Type Protocol Port Range Source
Custom TCP TCP 3306 sg-1234
Important: Make sure that the rules allow a TCP connection over the database's port.

2.    For the network access control lists (NACLs), make sure that the inbound and outbound rules allow communication between the Lambda function and RDS instance.    

Note: By default, NACLs allow all inbound and outbound traffic. However, these default settings can be changed.

When configuring the NACLs, do the following:

Make sure that the NACLs for each subnet associated with the RDS instance and Lambda function allow outbound TCP connection to the other instance's subnets' CIDRs.

Note: The following example uses four example subnets labeled by their CIDRs:
For the Lambda function's subnets, 172.31.1.0/24 and 172.31.0.0/28.
For the RDS instance's subnets, 172.31.10.0/24 and 172.31.64.0/20.

Example outbound rules for a Lambda function's subnets' NACLs

Type Protocol Port Range Destination Allow/Deny
Custom TCP TCP 3306 172.31.10.0/24 Allow
Custom TCP TCP 3306 172.31.64.0/20 Allow

Important: The same Outbound rules also need to be applied to the NACLs of the RDS instance's subnets, but with the destination set as the Lambda's subnets' CIDRs.

Make sure that the NACLs for each subnet also have an inbound rule on the ephemeral ports over the CIDR range of the other instance's subnets.

Example inbound rules for a Lambda function's subnets' NACLs

Type Protocol Port Range Source Allow/Deny
Custom TCP TCP 1024-65535 172.31.10.0/24 Allow
Custom TCP TCP 1024-65535 172.31.64.0/20 Allow

Important: The same inbound rules must be applied to the NACLs of the RDS instance's subnets, but with the source set as the Lambda's subnets' CIDRs.

A Lambda function and RDS instance in different VPCs

First, connect the two VPCs using VPC peering. Then, use the following networking configurations to connect the Lambda function in one VPC to the RDS instance in the other:

Important: Make sure that the VPC peering connection has domain name server (DNS) resolution enabled.

1.    For the Route Table, confirm the VPC peering connection was successful by looking for the following:
For the Destination, look for the CIDR of the peered VPC.
For the Target, look for the peering connection.

Note: The following example includes two example subnets labeled by their CIDRs:

For the peered VPC, 172.31.0.0/16. For the peering connection, pcx-01234abcd.

Example route table for a Lambda function and an RDS instance in different VPCs

Destination Target
172.31.0.0/16 pcx-01234abcd
10.0.0.0/16 local

2.    For Security Groups, use the following network settings:

For the Lambda function's security group, make sure that traffic is allowed to go in and out of the CIDR of the RDS instance's VPC.

Note: The following example includes two example subnets labeled by their CIDRs:
For the RDS instance, 172.31.0.0/16
For the Lambda function, 10.0.0.0/16

Example outbound rule for a Lambda function in a different VPC than the RDS instance

Type Protocol Port Range Destination
Custom TCP TCP 3306 172.31.0.0/16
For the RDS instance's security group, make sure that traffic is allowed to go in and out of the CIDR of the Lambda function's security group.

Example inbound rule for an RDS instance in a different VPC than the Lambda function

Type Protocol Port Range Source
Custom TCP TCP 3306 10.0.0.0/16

3.    For the NACLs, follow the procedures in step three of the A Lambda function and RDS instance in the same VPC section, above. The origin of the Lambda function's subnet CIDR is in a different VPC.

A Lambda function and a public RDS instance

1.    Make sure DNS routing is enabled on the VPC.

2.    Use one of the following network configurations:

For Lambda functions in the same VPC as the public RDS instance, see the A Lambda function and RDS instance in the same VPC section, above.

Note: The Lambda function doesn't require internet access. It resolves the RDS using its private IP address.

-or-

For Lambda functions and public RDS instances in different VPCs, see the A Lambda function and RDS instance in different VPCs section, above.

Note: Lambda functions that aren't in a VPC automatically have internet access and can resolve the IP address of a public RDS instance.

3.    Make sure that the following is true for your public RDS configurations: The subnets attached to the RDS instance are public (default route to IGW). All NACLs allow all inbound and outbound access. Security groups allow all inbound connections.

Note: If NACL access is to be restricted, make sure that the NACL still allows connection to and from Lambda's VPC CIDR or EC2 CIDR ranges. Make sure that the outbound connection is set to the database's port and the inbound connection is set to ephemeral ports (1024-65535). If a security group's inbound access needs to be restricted, make sure that the group still allows inbound access from Lambda's VPC CIDR or EC2 CIDR ranges.


Did this article help?


Do you need billing or technical support?