8

I am trying to produce the correct CDK scripts (TypeScript) to create an environment with a Lambda (accessed via API Gateway) that can call an RDS (Sql Server instance).

I believe I have it mostly working, but I wanted to connect to the RDS instance from my development machine to run some queries and check on a few things.

My RDS instance is in a private subnet, and so I believe in order to connect to it I need to add an Internet Gateway and security group to allow access on the appropriate ports.

For the life of me I can figure out the last piece, how to add the internet gateway using CDK.

The latest script I have tried is as follows: 

const privateSubnectConfiguration = {
  cidrMask: 26,
  name: 'private-subnet',
  subnetType: SubnetType.PRIVATE,
};

const publicSubnectConfiguration = {
  cidrMask: 26,
  name: 'public-subnet',
  subnetType: SubnetType.PUBLIC,
};

const vpc = new Vpc(this, props.generateId('vpc'), {
  maxAzs: 2,
  subnetConfiguration: [privateSubnectConfiguration, publicSubnectConfiguration],
  natGateways: 1,
});

vpc.addGatewayEndpoint(props.generateId('internet-gateway'), {
  service: { name: "ig-service" }
})

Which then errors with The Vpc Endpoint Service 'ig-service' does not exist (Service: AmazonEC2; Status Code: 400; Error Code: InvalidServiceName;

I see references to the CfnInternetGateway in the docs, but just can't figure out how to attach a new one to my VPC?

Can you please help with the syntax?

shenku
  • 11,969
  • 12
  • 64
  • 118

1 Answers1

12

First of all, you cannot directly access a database in a private subnet. You have to deploy a proxy instance in your public subnet and forward the required ports to access your database.

When using CDK VPC construct, an Internet Gateway is created by default whenever you create a public subnet. The default route is also setup for the public subnet. So you should remove addGatewayEndpoint() from your code, which adds a Gateway VPC Endpoint that you don't need.

You may also consider using SubnetType.ISOLATED to create a private subnet without a NAT GW, which may be redundant in your case. SubnetType.PRIVATE creates a NAT Gateway by default.

Vikyol
  • 5,051
  • 23
  • 24
  • what do you mean by a proxy instance? I thought by opening up the security group I could access it? – shenku Nov 12 '19 at 09:52
  • 1
    A resource is not accessible out of its VPC if launched in a private subnet. So you can either launch your RDS DB instance in a public subnet or proxy the requests through an instance in a public subnet (similar to using a bastion host to access an instance in a private subnet). – Vikyol Nov 12 '19 at 10:04