-1

I have a lambda function that needs to access RDS and the internet. Everything out there points to having to set up a NAT gateway; the RDS in question is publicly accessible, the lambda is able to connect to it if I allow connections to the RDS from all IPs; however, I would like to avoid that. Is there a way to determine the possible range of IPs to be assigned to a lambda function and whitelist that range in the security group>?

d0001
  • 2,162
  • 3
  • 20
  • 46
  • Whitelisting IP is not considered to be secure. Are you trying to avoid the NAT cost? There is a cheaper way to do this by setting up a NAT EC2 instance – jellycsc Aug 01 '20 at 03:07
  • Having your RDS database publicly accessible is a poor choice for security. Also, when the application connects to the database via its DNS Name, the DNS Name will resolve to a _public_ IP address, causing the traffic to exit the VPC and then come back in. This also incurs a 1c/GB data transfer charge. – John Rotenstein Aug 01 '20 at 07:43

1 Answers1

0

Locate your Lambda into your VPC, private subnet and set the security group for Lambda. After that, add the Lambda security group to the inbound source of the RDS security group. Then, the Lambda will communicate with the RDS privately.

The private subnet should route the target 0.0.0.0/0 to the internet through a NAT gateway where the NAT should locate in the public subnet. Then, the private subnet can connect to the internet safely.

Lamanus
  • 12,898
  • 4
  • 21
  • 47