0

I was running a serverless web application on a lambda inside a VPC, and connecting to a Aurora-MySQL RDS instance, with inbound rules to allow traffic from the security group of the lambda The connection was working fine, however, quite often the lambda cold start was giving me a timeout. After some research, I found out that running a lambda on a VPC brings an additional cost on startup and I saw the recommendation in more than 1 place to avoid using lambda on a VPC except if you strictly need to access some resource in the VPC.

So, I decided to move my RDS to a publicly accessible instance, so my lambda can access it over the internet and remove the lambda from the VPC.

So, I changed the RDS Public accessibility option to Yes and edited the security group to allow inbound connection from any IP. I have also removed the VPC from the lambda, so the lambda is not running on a VPC anymore I thought it was gonna be enough.

But then my lambda started failing to connect to the database I tried to connect using my local client, again, failure

tried pinging to the hostname, got request timeouts

After digging a bit into it, I found that my DB instance subnet group having some private subnets might be a problem (?) So, I have created a new subnet group with only public subnets, and tried to move my db instance to the new subnet group... but got this message:

You cannot move DB instance my-instance to subnet group my-new-group. The specified DB subnet group and DB instance are in the same VPC.

Ok, it seems that I can't move to a different subnet in the same VPC, I started trying to create a new VPC, but it doesn't seem to be right and I'm sure there is something else I am missing here.

I also read about ACL, and thought that this might be the problem, because there is a rule DENY to everything, but I cannot edit it

ALL Traffic ALL ALL 0.0.0.0/0 DENY

My RDS Network settings

Subnet group
default

Subnets
subnet-11111111
subnet-22222222
subnet-33333333
subnet-44444444
subnet-55555555
subnet-66666666

Security
VPC security groups
default (sg-111111)
( active )

Public accessibility
Yes

My Security group inbound rules

Type Protocol Port range    Source  Description - optional
All traffic All All 0.0.0.0/0   -
All traffic All All ::/0    -

Still can't connect, can't even ping:

ping my-instance.xxxxxxx.us-east-1.rds.amazonaws.com
PING ec2-xx-xx-xx-xx.compute-1.amazonaws.com (xx.xx.xx.xx): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

Any idea of what I am missing here?

dfranca
  • 135
  • 8
  • Can you connect to the DB using a client from your PC? – Tim Mar 19 '20 at 23:05
  • @Tim No, I can't.... Get some error like "Can't connect to MySQL server on 'my-instance.xxxxxxxxxx.us-east-1.rds.amazonaws.com' (60) – dfranca Mar 19 '20 at 23:07
  • Get that working first before you try to connect lambda. I didn't know you could alter a database to be publicly accessible, but AWS changes all the time. Things to check: security groups, database security groups (not sure if they're still a thing), routing, internet gateway – Tim Mar 20 '20 at 04:26
  • Yes, I'm first trying to just connect with my local client – dfranca Mar 20 '20 at 08:53
  • Move you RDS to the public subnet, if you were using the default VPC the internet gateway is already configured if don't you have to configure that. – Krismorte Apr 23 '20 at 13:16

0 Answers0