Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do you assign a VPC and security group to a Lambda in AWS CDK?

I have an AWS CDK stack with a lambda function that needs to insert into an RDS database. When the stack is deployed, the lambda function cannot access the database and gives an error: getaddrinfo ENOTFOUND [RDS endpoint as defined by me]. After manually adding the VPC, subnets and Security group that the RDS database is in, the lambda function works correctly.

How do you define the VPC, Subnets and Security group in AWS CDK, preferably in TypeScript? In as far as there is documentation, I tried:

const vpc = ec2.Vpc.fromLookup(this, "VPC", { vpcName: "myVPC" });

const securityGroup = ec2.SecurityGroup.fromSecurityGroupId(
  this,
  "SG",
  "sg-XXXXX"
);

const subnet1a = ec2.PrivateSubnet.fromSubnetAttributes(this, "SUBNET1A", {
  subnetId: "eu-central-1a"
});

const myLambda = new lambda.Function(this, "myLambda", {
  runtime: lambda.Runtime.NODEJS_12_X,
  code: lambda.Code.fromAsset("lambda"),
  handler: "myLambda.handler",
  description: "myLambda",
  environment: {
    DB_HOST: "XXXX",
    DB_USER: "XXXX",
    DB_PASSWORD: "XXXX",
    DB_NAME: "XXXX"
  },
  vpc: vpc,
  vpcSubnets: [subnet1a],
  securityGroups: [securityGroup]
});

When running cdk deploy This gives an AWS CDK error: "Not possible to place Lambda Functions in a Public subnet Subprocess exited with error 1"

Any help is welcome.

like image 304
Robin Avatar asked Mar 17 '20 16:03

Robin


People also ask

How do I add environment variables to Lambda CDK?

In order to pass environment variables to a Lambda function we have to set the environment property on the function construct to a map of key value pairs of type string. We are then able to access the environment variables on the process. env object in our lambda function.

Does AWS Lambda use security groups?

AWS provides security groups and network ACLs to increase security in your VPC. Security groups control inbound and outbound traffic for your instances, and network ACLs control inbound and outbound traffic for your subnets.


1 Answers

If you want to deploy a Lambda function into a VPC then you should deploy it into a private subnet (one that has subnetType: SubnetType.PRIVATE) or an isolated subnet (one that has subnetType: SubnetType.ISOLATED).

Which you choose depends on whether or not the Lambda function needs outbound internet access. If it does, then use PRIVATE, otherwise use ISOLATED.

To reach an RDS instance in the same VPC, the Lambda function should be placed in a Security Group that has inbound access on the relevant port number to the RDS instance's security group.

Example of VPC here and Lambda here.

like image 135
jarmod Avatar answered Oct 21 '22 08:10

jarmod