Question #1094
A developer is deploying a new Python AWS Lambda function that is not connected to a VPC. The Lambda function needs to connect to and query an Amazon RDS PostgreSQL database that is not publicly accessible. The developer anticipates sporadic spikes in database traffic.
What should the developer do to enable the Lambda function to access the database securely and efficiently?
Configure the Lambda function to use an Amazon RDS proxy.
Configure a NAT gateway and associate it with the Lambda function.
Enable public access on the RDS instance and configure a security group to allow inbound traffic on the database port.
Attach the Lambda function to a VPC with a security group that has no inbound or outbound rules.
Explanation
Answer A is correct because:
- Amazon RDS Proxy acts as an intermediary, allowing Lambda (even outside a VPC) to securely connect to the RDS database via AWS's private network. The RDS Proxy endpoint resides in the VPC, and security groups can restrict access to the proxy.
- Connection Pooling: RDS Proxy efficiently manages database connections, reducing the risk of overwhelming the database during traffic spikes (common with Lambda's concurrent executions).
- Security: The RDS database remains private, avoiding exposure to the public internet (unlike Option C, which is insecure).
Other options are incorrect because:
- B: NAT gateways are unnecessary here since Lambda doesn't require outbound internet access to reach RDS.
- C: Enabling public access on RDS exposes it to security risks.
- D: Attaching Lambda to a VPC with no inbound/outbound rules blocks all traffic, preventing database access.
Key Takeaway: RDS Proxy is ideal for serverless applications (like Lambda) needing secure, scalable, and efficient database access without VPC attachment.
Answer
The correct answer is: A