Connection from Lambda to RDS in a different account

864 views Asked by At

I have an RDS in one AWS Account - say Acct-1. The RDS is public (i know it's not a good idea and there are other solutions for that)

I have a lambda in another AWS Account - say Acct-2 which runs in a VPC.

I have setup VPC peering between the 2 accounts, the route table entries are in place as well as the security groups IN/OUT bound policies in place.

In Acct-2 I can verify that I can connect to the RDS instance in Acct-1 using a mysql cient from an EC2 instance. The EC2 instance is in the same subnet as the Lambda and they both have the same security group. But the Lambda gets a timeout connection. The Lambda has the typical Lambda execution role that Allows logs, and network interfaces.

Thoughts on what could be missing ? Does the RDS need to grant specific access to the Lambda service even if it's running in a VPC ?

Clarification: There is no route to the RDS instance from the internet. Clearly, the ec2 host is able to resolve the Private IP for the RDS instance from the DNS name and connect. Lambda is unable to resolve the private IP for the RDS instance. I'm trying to keep the traffic within AWS so as to not pay egress costs.

0

There are 0 answers