amazon-web-servicesaws-lambdaconnectionamazon-rds

AWS multy Lambdas, RDS, Bedrock, Textract, connections


I am currently working on a project, which involves a Lambda (Master-)function to manage different other things.

When I run the database publicly accessible, everything works, no problem. When I emulate the Masterlambda on my home PC, with my IP as exception within the databases Security Group but otherwise no public internet access. This also works.

But when i want the MasterLambda to have access to a non public DB I have to add the DB to the Lambda, which puts the Lambda into the same VPC as the DB and cuts it off from public access. As a result, the Master Lambda cant communicate with the Sublambdas anymore.

I tried to put the Sublambdas into the same VPC, but without success. And even if this would work, would the Sublambdas still be able to make calls to Bedrock and Textract, or would they be cut off and timeout too?

The base problem here is that the DB should not be accessible from anywhere in the internet (pw is seemingly not enough)


Solution

  • Okay, I figured it out, here is how to do it:

    1. get two blank security groups without inbound and outbound rules, one for the lambda endpoint, one for the masterlambda within the vpc
    2. create a lambda endpoint for your vpc (I went for a shotgun approach with all the vpc subnets added to the endpoint)
    3. add the security group for your lambdaendpoint, when creating the endpoint
    4. configure the sg of the lambdaendpoint:
      • inbound>all traffic> sg from lambda within the vpc
      • outbound>all traffic> open internet
    5. add the sg for your lambda to the lambda in the vpc
    6. configure the sg of the lambda within the vpc:
      • inbound>all traffic> all the other sgs from the vpc (shotgun approach)
      • outbound>all traffic> sg of the endpoint