How do I troubleshoot consistent connection timeouts from Lambda when accessing an Amazon RDS DB instance?
Last updated: 2020-02-27
My AWS Lambda function is getting consistent connection timeout errors while trying to access an Amazon Relational Database Service (Amazon RDS) DB instance. How do I troubleshoot these errors?
Consistent connection timeout errors can occur for various reasons depending on your use case and Lambda function configuration. Follow these steps to troubleshoot the errors.
Note: If you're getting intermittent and transient connection timeouts, capture the events and retry them as part of your Lambda function's error handling. For more information, see Error Handling and Automatic Retries in AWS Lambda.
Check the Lambda function logs
If you haven't done so already, enable logging for the connection, and then review your Lambda function's logs. For more information, see Monitoring and Troubleshooting Lambda Applications.
Check the VPC configuration
Do either of the following:
- If the database is privately accessible, put your Lambda function in the same Amazon Virtual Private Cloud (Amazon VPC) as the database. Or, create a VPC peering connection between the Amazon VPC with your function and the Amazon VPC with your database.
- If the database is publicly accessible and there are no IP address-based restrictions on the database, you don't need to put your Lambda function in an Amazon VPC. If your function is already in an Amazon VPC, route public traffic via a NAT gateway or NAT instance. For more information, see How do I give internet access to my Lambda function in a VPC?
For more information, see Tutorial: Configuring a Lambda Function to Access Amazon RDS in an Amazon VPC.
Check the security group rules
Do either of the following:
- If the database is privately accessible and your Lambda function is in an Amazon VPC, then add an inbound rule to your DB security group to allow traffic from the CIDR range of the VPC's subnets or security group.
- If the database is publicly accessible and your Lambda function is in an Amazon VPC, then add an inbound rule to your DB security group to allow traffic from the NAT gateway or NAT instance of the VPC.
Update the Lambda function handler
Update your Lambda function code so that the function opens the database connection outside the function handler and doesn't close the connection. Because of how Lambda reuses containers, Lambda doesn't re-initialize the code that's outside of a function handler when the container is reused.
Connect using an EC2 instance
As a test, launch an Amazon Elastic Compute Cloud (Amazon EC2) instance with the same Amazon VPC configuration as your Lambda function. Try connecting to the RDS DB instance from the EC2 instance.
- If you're able to connect to the database, then the root cause of the connection error is on the Lambda side. Continue troubleshooting for Lambda networking issues.
- If you're unable to connect to the database, then the root cause is a problem with the networking configuration.
For more information, see How do I resolve problems connecting to my Amazon RDS DB instance?
Use Amazon RDS Proxy (Preview)
Create an Amazon RDS Proxy endpoint for your RDS database to handle the database traffic from your Lambda function. For more information, see Using Amazon RDS Proxy with AWS Lambda.
Note: During preview, Amazon RDS Proxy is available in the Asia Pacific (Tokyo), EU (Ireland), US East (Ohio), US East (N. Virginia), and US West (Oregon) AWS Regions.