1

There are couple of questions around this, but none seem to solve my specific problem.

So i have a publicly accessible RDS instance in a VPC with two Security Groups : one the default SG for VPC & other to allow incoming connections from our developer machines. I am able to successfully connect to this RDS via my developer machines(personal laptops/PCs) as a result of the 2nd Security group.

Now, when i try to connect to this RDS via a Lambda running in same VPC, it fails with this error : "java.net.UnknownHostException: ****.rds.amazonaws.com: Name or service not known "

My lambda is getting launched in the same VPC as RDS and i have chosen all the RDS VPC subnets for the lambda. It also is tied to the default VPC security group.

Below is my understanding(obviously not right as connection is not working), what am i missing here?

The Default VPC SG(security group) associated to the lambda has outgoing rules set as 0.0.0.0/0 , hence it should allow lambda to access the whole world; so at least the RDS in VPC should be accessible.

The same default VPC SG should allow the RDS to accept incoming connections from any ip in the SG subnets(inbound rule mentions SG/default) ; hence lambda should be able to access it.

nikel
  • 3,402
  • 11
  • 45
  • 71
  • Where are your "developer machines"? Are they Amazon EC2 instances in the same VPC, or are they computers connected to the Internet? – John Rotenstein May 03 '21 at 08:22
  • Some Computers connected to the internet. The problem is with the lambdas not being able to access RDS in VPC. – nikel May 03 '21 at 08:24
  • See if this helps https://stackoverflow.com/questions/67230097/ec2-could-not-resolve-private-dns-host-name/67238780#67238780 – GSSwain May 03 '21 at 08:47
  • I am using the default VPCs for this purpose, and both of the flags mentioned in the post are enabled for this VPC – nikel May 03 '21 at 09:18

2 Answers2

1

The error message is indicating that it cannot resolve the DNS Name of the RDS database (Name or service not known).

I suspect that this is due to the fact that the RDS instance has been configured as publicly accessible, which gives it a public DNS Name and IP address.

An AWS Lambda function connected to a VPC will send all network traffic via the VPC. It does not have access to the Internet unless there is a NAT in the VPC and the Lambda function is connected to a Private Subnet. Thus, the connection attempts from the Lambda function are possibly attempting to resolve a Public DNS Name, but is failing to do so.

This could likely be resolved by changing the RDS instance to be Publicly Available = No. This not only makes it safer, but it means that the DNS Name will resolve to a Private IP address, which should work correctly with a Lambda function connected to the VPC.

Alternatively, you could configure the Lambda function to not be connected to the VPC. This gives it Internet access, so it will connect to the RDS database just like any other computer on the Internet.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • The reasoning about DNS resolution does make sense, however i have followed a similar setup for Lambda-> Redshift earlier which worked. Hence I am wondering what's the difference here. If i make RDS private, I will have to go through a complicated process of setting up bastions for accessing it, which i want to avoid for now. Also, making RDS totally public(without any incoming restrictions) is not very secure. Hence want to have fix IP ranges for incoming connections, which won't be possible with Lambda IMO. – nikel May 03 '21 at 08:38
  • As described above, it was the wrong endpoint that was creating the problem. I also inspected the default VPC and found that default VPC's come with an internet gateway , maybe that's whats helping in resolution of the endpoint for the developer machines? Another thing i am curious about is why the cluster endpoint is not accessible, but the instance endpoint is. Any ideas? – nikel May 04 '21 at 05:04
0

So the problem was that in my developer machine, I was using the db instance endpoint , but in lambda i was using the cluster endpoint. They look similar, hence i was not able to catch it earlier. On fixing the lambda to use the instance endpoint, both lambda & developer machines can successfully connect to the RDS.

However, I am now curious why the cluster url is not accessible, but i will create another question for that.

nikel
  • 3,402
  • 11
  • 45
  • 71