How do you assign a VPC and security group to a Lambda in AWS CDK?

Question

I have an AWS CDK stack with a lambda function that needs to insert into an RDS database. When the stack is deployed, the lambda function cannot access the database and gives an error: getaddrinfo ENOTFOUND [RDS endpoint as defined by me]. After manually adding the VPC, subnets and Security group that the RDS database is in, the lambda function works correctly.

How do you define the VPC, Subnets and Security group in AWS CDK, preferably in TypeScript? In as far as there is documentation, I tried:

const vpc = ec2.Vpc.fromLookup(this, "VPC", { vpcName: "myVPC" });

const securityGroup = ec2.SecurityGroup.fromSecurityGroupId(
  this,
  "SG",
  "sg-XXXXX"
);

const subnet1a = ec2.PrivateSubnet.fromSubnetAttributes(this, "SUBNET1A", {
  subnetId: "eu-central-1a"
});

const myLambda = new lambda.Function(this, "myLambda", {
  runtime: lambda.Runtime.NODEJS_12_X,
  code: lambda.Code.fromAsset("lambda"),
  handler: "myLambda.handler",
  description: "myLambda",
  environment: {
    DB_HOST: "XXXX",
    DB_USER: "XXXX",
    DB_PASSWORD: "XXXX",
    DB_NAME: "XXXX"
  },
  vpc: vpc,
  vpcSubnets: [subnet1a],
  securityGroups: [securityGroup]
});

When running cdk deploy This gives an AWS CDK error: "Not possible to place Lambda Functions in a Public subnet Subprocess exited with error 1"

Any help is welcome.

Answer 1

If you want to deploy a Lambda function into a VPC then you should deploy it into a private subnet (one that has subnetType: SubnetType.PRIVATE) or an isolated subnet (one that has subnetType: SubnetType.ISOLATED).

Which you choose depends on whether or not the Lambda function needs outbound internet access. If it does, then use PRIVATE, otherwise use ISOLATED.

To reach an RDS instance in the same VPC, the Lambda function should be placed in a Security Group that has inbound access on the relevant port number to the RDS instance's security group.

Example of VPC here and Lambda here.