0

Background

I'm building a Lambda function (Node.js 20 runtime) that connects to an Amazon RDS MySQL database within the same VPC.

Both the Lambda and the RDS instance are deployed in private subnets.
However, every attempt to connect results in a connection timeout.

What I’ve tried

  1. Verified that the Lambda is in the same VPC and private subnets as the RDS instance.
  2. Allowed inbound traffic on port 3306 from the Lambda's security group to the RDS security group.
  3. Added a NAT Gateway to the subnets used by the Lambda (no change).
  4. Tested connectivity from an EC2 instance in the same subnet — connection succeeds.

Code sample

import mysql from "mysql2/promise";

export const handler = async () => {
  const conn = await mysql.createConnection({
    host: process.env.DB_HOST,
    user: "admin",
    password: process.env.DB_PASS,
  });
  const [rows] = await conn.query("SELECT 1");
  console.log(rows);
};

Question

What could cause a Lambda function inside a VPC to time out when connecting to an RDS instance in the same VPC, even though security groups and subnets seem properly configured?

Improve this question
3
  • "Allowed inbound traffic on port 3306 from the Lambda's security group to the RDS security group." That is a rule you created inside the RDS instance's security group, correct? The way you phrased it makes that unclear. Creating that rule in the Lambda function's security group would not have any effect. Commented Oct 29 at 15:32
  • 2
    To isolate the issue, temporarily allow all inbound traffic to the RDS instance (in its associated security group) and test whether you could connect. If you could, then the issue is with security groups. Commented Oct 30 at 7:32
  • Use the EC2 instance with the lambda's security group only to see if the connection still goes through. I am suspecting the lambda's security group might be causing the issue, maybe outbound traffic rules? you can also perform a ping (ICMP) from the lambda function to see if the destination is reachable - allow for ICMP inbound traffic on the RDS instance. Commented Nov 10 at 15:30

1 Answer 1

Reset to default
-1

The configuration should be:

  • A security group on the AWS Lambda function (Lambda-SG) that permits all outbound traffic to 0.0.0.0/0
  • A security group on the RDS database (RDS-SG) that permits inbound on port 3306 traffic from RDS-SG

That is, RDS-SG should specifically reference Lambda-SG.

Also, make sure the Network ACLs (NACLs) are set to their default 'Allow All' configuration and both the Lambda function and the RDS database are in the same VPC.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.