Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – AWS multy Lambdas, RDS, Bedrock, Textract, connections

I am currently working on a project, which involves a Lambda (Master-)function to manage different other things.

  • It has an S3 trigger
  • calls another Lambda function (SubLambda1) which makes a AWS Textract call
  • calls another Lambda function (SubLambda2) which makes some AWS Bedrock calls
  • it also retrieves and updates information in a MYSQL AWS RDS server

When I run the database publicly accessible, everything works, no problem.
When I emulate the Masterlambda on my home PC, with my IP as exception within the databases Security Group but otherwise no public internet access. This also works.

But when i want the MasterLambda to have access to a non public DB I have to add the DB to the Lambda, which puts the Lambda into the same VPC as the DB and cuts it off from public access. As a result, the Master Lambda cant communicate with the Sublambdas anymore.

I tried to put the Sublambdas into the same VPC, but without success. And even if this would work, would the Sublambdas still be able to make calls to Bedrock and Textract, or would they be cut off and timeout too?

The base problem here is that the DB should not be accessible from anywhere in the internet (pw is seemingly not enough)

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Okay, I figured it out, here is how to do it:

    1. get two blank security groups without inbound and outbound rules, one for the lambda endpoint, one for the masterlambda within the vpc
    2. create a lambda endpoint for your vpc (I went for a shotgun approach with all the vpc subnets added to the endpoint)
    3. add the security group for your lambdaendpoint, when creating the endpoint
    4. configure the sg of the lambdaendpoint:
      • inbound>all traffic> sg from lambda within the vpc
      • outbound>all traffic> open internet
    5. add the sg for your lambda to the lambda in the vpc
    6. configure the sg of the lambda within the vpc:
      • inbound>all traffic> all the other sgs from the vpc (shotgun approach)
      • outbound>all traffic> sg of the endpoint

  2. 0

    I think If you put lambdas and sublamdas with the DB in internal VPC (no internet access) you will have to create VPC Endpoints for (RDS, Textract and bedrock).

    For VPC Endpoint bedrock:
    https://docs.aws.amazon.com/bedrock/latest/userguide/vpc-interface-endpoints.html

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search