具有 RDS 和 Internet 连接的 VPC 中的 AWS Lambda [英] AWS Lambda in VPC with RDS and Internet Connection
问题描述
我在新创建的 VPC 中设置了 Aurora 数据库(已配置),但没有公开访问权限.由于我想在 VPC 中运行一个 Lambda 函数,该函数既可以访问 RDS 实例,也可以访问 Internet,因此我将 RDS 实例的路由表更改为允许来自我放置在公共子网中的 NAT 网关的流量在同一个 VPC 中.
I set up an Aurora Database (provisioned) in a newly created VPC and no public accessibility. As I want to run a Lambda function in the VPC which is able to both, access the RDS instances as well as the Internet, I changed the routing tables of the RDS instances to allowing traffic from a NAT gateway which I placed in a public subnet in the same VPC.
对于 Lambda 函数本身,我创建了一个单独的私有子网,在路由表中也只允许来自 NAT 网关的流量.我将此子网和 VPC 分配给 Lambda 设置中的 Lambda 函数.互联网连接在此配置下工作正常,但我无法访问数据库.这就是我关注这篇文章的原因 (https://serverfault.com/questions/941886/connect-an-aws-lambda-function-triggered-by-api-gateway-to-aurora-serverless-mys)并添加了 IP CIDRLambda 子网到 RDS 实例的安全组(称为 rds-launch-wizard).
For the Lambda function itself, I created a separate private subnet, also just allowing traffic from the NAT gateway in the routing table. I assigned this subnet and VPC to the Lambda function in the Lambda settings. The internet connection works fine with this configuration but I can not access the database. That's why I followed this post (https://serverfault.com/questions/941886/connect-an-aws-lambda-function-triggered-by-api-gateway-to-aurora-serverless-mys) and added the IP CIDR of the Lambda subnet to the Security Group of the RDS instances (called rds-launch-wizard).
仍然,Lambda 函数能够与公共互联网交互,但无法连接到 RDS 实例(超时).我的想法不多了,这里有什么问题?
Still, the Lambda function is able to interact with the public internet but can not connect to the RDS instances (timeout). I'm running out of ideas, what is wrong here?
推荐答案
配置应该是:
- 一个公共子网,带有一个 NAT 网关(根据定义,还有一个 Internet 网关)
- 带有 Amazon RDS 实例的私有子网
- 与 Lambda 函数关联的相同或不同的私有子网
- 使用路由表配置的私有子网,目的地为
0.0.0.0/0到NAT网关
- A Public subnet with a NAT Gateway (and, by definition, an Internet Gateway)
- A Private subnet with the Amazon RDS instance
- The same, or a different, Private Subnet associated with the Lambda function
- The Private Subnet(s) configured with a Route Table with a destination of
0.0.0.0/0to the NAT Gateway
然后考虑安全组:
- 允许所有出站访问的用于 Lambda 函数的安全组 (
Lambda-SG) - RDS 实例的安全组 (
RDS-SG) 应允许从Lambda-SG在适当的数据库端口上进行入站访问
- A security group for the Lambda function (
Lambda-SG) that permits all outbound access - A security group for the RDS instance (
RDS-SG) that should permit inbound access fromLambda-SGon the appropriate database port
也就是说,RDS-SG 允许来自 Lambda-SG(按名称)的传入流量.无需在安全组中使用 CIDR.
That is, RDS-SG is allowing incoming traffic from Lambda-SG (by name). There is no need to use CIDRs in the security group.
Lambda 函数将通过弹性网络接口 (ENI) 连接到私有子网,并且能够与 RDS 实例(直接)和互联网(通过 NAT 网关)进行通信.
The Lambda function will connect to a private subnet via an Elastic Network Interface (ENI) and will be able to communicate both with the RDS instance (directly) and with the Internet (via the NAT Gateway).
请注意,您不是在引导来自 NAT 网关的流量".相反,您将互联网绑定的流量引导到 NAT 网关.也没有RDS 实例的路由表"这样的东西,因为路由表与子网相关联,而不是与 RDS 相关联.
Please note that you are not directing "traffic from the NAT Gateway". Rather, you are directing Internet-bound traffic to the NAT Gateway. Nor is there such a thing as "routing tables of the RDS instances" because the Route Tables are associated with subnets, not RDS.
这篇关于具有 RDS 和 Internet 连接的 VPC 中的 AWS Lambda的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
