Connecting AWS API Gateway and Lambda to Oracle RDS Instance: Troubleshooting Connection Failure
Question
You must create a REST API using AWS API Gateway with Lambda as backend system and Oracle RDS instance as database.
You have created API methods, Lambda function code and spun up Oracle RDS instance in a private VPC with no Internet Gateway.
When you are trying to connect to the RDS instance from your Lambda, the connection getting failed.
What could be the reason? (choose 2 options)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B, C.
Option A is not correct.
A policy on the role can only define access to which API actions can be made on RDS instance such as rds:CreateDBInstance, rds:CreateDBSecurityGroup, rds:CreateDBSnapshot etc.
The policy will not define whether a resource can connect to an RDS instance or not.
Option B is correct.
When the Lambda function runs in “no VPC” network mode, it will not have access to resources running in a private VPC.
https://docs.aws.amazon.com/lambda/latest/dg/vpc.htmlOption C is correct.
Security groups act as a firewall for any resources (such as RDS instance and Lambda in this case) they are connected with.
If there is no inbound rule defined to allow connections from the Lambda subnet IP range or the Lambda security group, connections will fail.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.htmlOption D is not correct.
There is no such configuration for the destination in the Lambda setup.
The reason for the connection failure between the Lambda function and the RDS instance could be two of the following options:
A. Lambda execution role does not have policy to access RDS instance. When a Lambda function needs to access any AWS service, including RDS, the Lambda execution role must have the necessary permissions to access those services. In this case, the Lambda execution role should have the AmazonRDSFullAccess policy or a custom policy with the necessary permissions to access the RDS instance. If the role doesn't have the correct policy attached, it will not be able to connect to the RDS instance.
C. RDS instance security group is not allowing connections from Lambda subnet range. Another possible reason for the connection failure could be that the security group associated with the RDS instance is not configured to allow connections from the Lambda function's subnet range. By default, RDS instances are created with a security group that only allows connections from within the same VPC. Therefore, if the Lambda function is running in a different subnet from the RDS instance, the security group must be updated to allow incoming connections from the subnet where the Lambda function is running.
B. Lambda function is running in “no VPC” network mode. This option is not directly related to the connection failure between the Lambda function and the RDS instance. However, it's worth mentioning that if the Lambda function is running in "no VPC" network mode, it will not be able to access resources in a VPC, including RDS instances that are located within a VPC.
D. RDS instance is not configured as destination in Lambda setup. This option is also not directly related to the connection failure between the Lambda function and the RDS instance. However, it's worth mentioning that the RDS instance must be configured as the destination for the Lambda function to properly connect and send/receive data to/from the RDS instance. This can be done by configuring the appropriate database endpoint, username, and password in the Lambda function's code or environment variables.
To summarize, the two possible reasons for the connection failure between the Lambda function and the RDS instance are a lack of permissions in the Lambda execution role and a misconfigured security group for the RDS instance.
