2

From my understanding, I can run AWS Lambda outside a VPC, as well as the RDS and have that set to publicly accessible. That would be the perfect solution for me because my lambda functions need internet access and a NAT Gateway which would allow that when inside a VPC is way too expensive. In which cases is it safe to go for that option? When is it a bad idea to have an RDS outside a VPC? What are the risks?

Rony Azrak
  • 527
  • 2
  • 6
  • 16
  • You ask good questions, but more than one in the same one; so I'm having a hard time on focusing on one; but I'll try: You can try using a NAT instance instead of gateway, generally they are cheaper. For No-VPC RDS instances, is it still possible?: https://stackoverflow.com/a/34212058/4636715 . – vahdet Mar 18 '19 at 07:30
  • Thank you @vahdet. I understand we can set the rds to be piblicly accessible, althought I wonder about the dangers that come with doing that. – Rony Azrak Mar 18 '19 at 15:25
  • Enablic *publicly accessible* flag should not be considered to be ok, imho: I always match databases with private subnets in my mind. Yet, at least, you should restrict IPs by making use of a security group. For a larger discussion on a similar topic, see: https://security.stackexchange.com/questions/6991/what-are-the-likely-threats-to-a-public-facing-db-instance – vahdet Mar 18 '19 at 19:59

1 Answers1

0

It is a VERY bad idea to expose your SQL server to the public internet. This is a very large security risk and you could eventually lose your data.

The a Nat gateway is too expensive, you could break the project into 2 lambda functions. Have one lambda function invoke attached to the VPC access the DB. This lambda can then invoke a second lambda function outside of the VPC, execute code, and return the results.

Natgateway is still the best solution.

Joseph
  • 512
  • 2
  • 5