I am attempting to make a lambda which will shut down an RDS instance on a schedule. I put my lambda in my VPC because I thought it would not need Internet access. However, I’m trying to use boto3 to access the instance, and I’m getting an error.
rds = boto3.client('rds')
dbs = rds.describe_db_instances()
def lambda_handler(event, context):
try:
# get all of the db instances
for db in dbs['DBInstances']:
print ("%s@%s:%s %s") % (
db['MasterUsername'],
db['Endpoint']['Address'],
db['Endpoint']['Port'],
db['DBInstanceStatus'])
except Exception as e:
print(e)
However, when boto3 tries to connect RDS, I’m getting this error.
[ERROR] ConnectTimeoutError: Connect timeout on endpoint URL: "https://rds.us-east-
2.amazonaws.com/"
This looks to me like boto3 is trying to call a URL on the internet. I can’t tell if the lambda cannot get out of the VPC or what. Is there no way to just reach within AWS and get to the instance?
2
Answers
You should not attach the AWS Lambda function to a VPC because it does not need to access any resources in the VPC.
The API calls being made to the Amazon RDS service are being sent to an endpoint on the Internet, not within the VPC. The Amazon RDS service will then turn the database on/off.
By not specifying a VPC for the Lambda function, it will have direct access to the Internet and the calls will succeed.
If you do want your Lambda in a VPC for extra security (or other reasons), there are two options I can think of for connecting to RDS: 1) Making it capable of reaching the public internet; or 2) Making it connect to RDS without leaving the AWS Network. You can even use both depending on your use cases (I’ll explain the differences later).
For both solutions, first you need to figure which subnets and security group is linked to your lambda:
Solution 1. Associate Elastic IPs to the Lambda’s Network Interfaces
Next, go to EC2 Service, find the Public IPs menu under Network & Security. Allocate one IP for each subnet (in the example above there are two subnets).
Go to Network Interfaces menu, find the network interfaces attached to your lambda (same subnet and security group).
Associate the Public IPs in the actions menu for each one:
Solution 2. Create a VPC Endpoint for RDS
Go to VPC Service in the console, open the Endpoints menu option under Virtual private cloud. Click the Create Endpoint button on top.
Choose the AWS Service you want to connect (e.g. RDS, S3, Secrets Manager), select the VPC your lambda is in:
Select the subnets (based on the AZ) and Security Group your lambda is linked to:
Do this for each AWS Service your Lambda needs access to (e.g. RDS, S3, etc).
Explanation and How to choose one
Your Lambda loses access to public internet when inside a VPC, so you can’t fetch data from external services/APIs, which includes most AWS Services because connection is made via public internet.
Solution 1 will make your Lambda capable of reaching public internet again, which is convenient.
Solution 2 will make your Lambda capable of connecting to AWS Services without leaving the AWS Network, which reduces latency and improves security.
If your lambda only needs access to RDS and a few other AWS Services, you can go with solution 2. If your lambda needs to access external APIs (unrelated to AWS), you need solution 1, but even in that case you could mix them and use solution 2 for better security and reduced latency, so you can use both.