As we know, Lambda functions run in an isolated VPC managed by AWS. Lambdas can access other AWS services, public resources and have access to the internet. But how can they access private resources, like RDS instances, in a different VPC?
We want our database to be in a private subnet within a VPC because we can use that network isolation to reduce the exposure to attacks, limit access to specific resources and take care of any compliance standards and regulations.
Let’s start by defining our challenge and move to the solution.
Challenge
We have an Amazon RDS (PostgreSQL) in a private subnet within a Virtual Private Cloud (VPC).The database password is securely stored in AWS SecretsManager for heightened security, ensuring optimal protection. Our goal is to enable a Lambda function to securely connect to Amazon RDS by retrieving the password from AWS SecretsManager.
Solution
The key steps are as follows:
- Place the Lambda function inside our VPC to enable secure communication with internal resources.
- Configure the Lambda function’s role with appropriate permissions for accessing AWS services.
- Create a VPC endpoint to allow the Lambda function to access SecretsManager without internet exposure securely.
- Set up security groups for the Lambda function to access SecretsManager via the VPC endpoint.
- Configure another security group to enable the Lambda function to access the RDS instance securely.
- Apply a security group to the RDS instance that allows inbound connections from authorized sources.
We can easily test the Lambda function by directly invoking it using a Lambda function URL, which can be accessed using a simple curl command.
Our solution will be done with AWS CDK and Golang. The CDK code structure comprises three stacks:
- Network stack: This stack includes the configuration for VPC, VPC endpoint, and Lambda security groups.
- Storage stack: Here, we set up Amazon RDS PostgreSQL with credentials and security group settings.
- Application stack: This stack involves creating a Lambda function with its corresponding security groups and role, along with the Lambda function URL.
For the sake of simplicity, we’ll treat the code here as if it were consolidated into one stack. However, you can find the complete example with the CDK code divided into three stacks on our GitHub repository below.
Network
First, we create a new VPC with two public and two private subnets.
Then we create two security groups, one for the VPC endpoint and one for the Lambda. We need to configure the VPC endpoint security group to allow port 443 inbound traffic from the Lambda security group and the Lambda security group to allow port 443 outbound traffic to the VPC endpoint security group. We do this here because you can pass the security group to other lambdas, if needed.
With VPC and security groups created above, we can create a VPC endpoint for the SecretsManager.
Storage
First, we create a security group that will allow connections to the database from the VPC.
Then we create a database instance with credentials. CDK will automatically create an AWS Secrets Manager secret and store it there.
Application
First, we create a Lambda role.
Then we create a security group that will allow Lambda to connect to the database.
With this, we can now create our Lambda function, named pingdb, and also create the URL to trigger it.
You have noticed that we have environment variables for our function which we can use in our code. Speaking of code, here is the Lambda handler code to test the DB connectivity:
After CDK deployment is successful, we can use the function URL, which will be in the Outputs, to trigger the Lambda function.
You can find the code here: https://github.com/ProductDock/lambda-vpc-rds-example
Other useful links and documentation:
https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaVPCAccessExecutionRole.html
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecretsManagerReadWrite.html
