1

I have a AWS Lambda application deployed via Serverless Framework. It needs a database, the CloudFormation for which I include in serverless.yaml's resources section.

With minimal knowledge of VPCs, subnets, and security groups, my goal is the following:

  1. Create/update a MySQL RDS instance with the serverless deploys.
  2. The functions in the Lambda application should be able to access the database.
  3. The database should be accessible publicly with a password, so I can connect with MySQL tools like Sequel Ace from my computer.

What I've tried so far:

I've attempted this with the below serverless configuration. It creates the database but it doesn't fulfill #2 and #3.

I've also tried setting provider.vpc.securityGroupIds and provider.vpc.subnetIds in serverless.yaml to the same ones the RDS instance uses, to no avail.

serverless.yaml

(the relevant sections)

service: myapp

provider:
    name: aws
    runtime: provided.al2
    lambdaHashingVersion: 20201221

functions:
    console:
        handler: bin/console
        timeout: 120 # in seconds
        layers:
            - ${bref:layer.php-80} # PHP
            - ${bref:layer.console} # The "console" layer

resources:
    Resources:
        # RDS instance
        ProductDatabase:
            Type: AWS::RDS::DBInstance
            Properties:
                AllocatedStorage: 5
                DBInstanceClass: db.t3.micro
                DBName: myapp
                Engine: mysql
                EngineVersion: 8.0.25
                MasterUsername: myappuser
                MasterUserPassword: redacted
                PubliclyAccessible: true
Improve this question

1 Answer 1

Reset to default
2

There is a good article here that explains the steps you need.

In order for your Lambda to have access to your AWS resources it needs to be inside the same VPC, and its execution role needs to have the appropriate permissions through IAM Roles/Groups.

You also want to avoid having your RDS open to the world, so you should be creating all of this inside a VPC. You can attach your lambda function to the VPC, then allow access to the RDS only to the VPC subnets via a security group.

That will get you steps 1 and 2 of your requirements.

In this same security group you can allow access to the external IP address of your computer to get step 3. You can configure this through the CLI so if you don't have a static IP it only takes a second to add. PowerShell example below:

Grant-EC2SecurityGroupIngress -GroupId "sg-xxxxxxxxxx" -IpPermission @(123.123.123.123/32)
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I've followed the steps in that article without success. When my lambda function tries to connect to the database, it's not able to connect to the host (SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed: Temporary failure in name resolution). I'm using the host and port specified on the RDS instance. I've confirmed that the function and db are on the same VPC and subnets, and each has its own security group. Here's what my serverless.yaml looks like: gist.github.com/amacrobert/caf25534e9bb3dced0e81444637186cf
There are a few things I'd be doing to see where it is falling over. First thing is to set up VPC Flow Logs. These log all traffic through the network interfaces. Once set up you should see entries in there from the Lambda and targeting the RDS. If you are getting deny messages then it is the security group config you need to look at. Here is the documentation on setting it up docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html. Just to conform you are using the endpoint from the connectivity & security tab in RDS as the hostname?
If it is not hitting the VPC Flow logs at all then have a look at the Lambda console, find your Lambda function, Configuration tab, then VPC in list on the left. Check that it is attached to the VPC and the subnet and security group info all looks correct. You could also spin up an EC2 instance in the same subnet as the Lambda function, and use the Lambda security group for it. Create a simple test php page that connects to the RDS instance using the same configuration you are using in the Lambda function. That will probably be easier to debug.
You can also use Reachability Analyzer under the VPC in the console to check configuration between the EC2 network interface and the RDS network interface. I don't think it is possible to use this with the Lambda function though (but I've not specifically tried).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.