Question #1073
A developer needs to configure an AWS Lambda function to access an Amazon RDS MySQL instance located in a private subnet within the same VPC. The RDS instance is not publicly accessible. Which solution will meet these requirements?
Create a VPC endpoint for Amazon RDS and associate it with the Lambda function.
Attach the Lambda function to the VPC and configure it to use the private subnet.
Establish a VPN connection between the Lambda function's execution environment and the private subnet.
Modify the VPC route table to include a route for the Lambda function's security group.
Explanation
The correct answer is B. AWS Lambda functions, by default, operate outside a VPC. To access resources within a VPC (like a private RDS instance), the Lambda must be explicitly attached to the VPC and associated with subnets that can route to the RDS. Attaching Lambda to the VPC allows it to use the VPC's networking rules and security groups, enabling communication with the RDS.
Why other options are incorrect:
- A: VPC endpoints (e.g., Interface Endpoints) allow access to AWS services without internet traffic, but RDS requires Lambda to be in the VPC to reach a private subnet.
- C: VPN connections are for linking external networks to a VPC, not for Lambda-to-VPC communication within AWS.
- D: Route tables route traffic based on IP ranges, not security groups. Security groups control traffic via rules, not routing.
Key Points:
1. Lambda must be attached to the VPC to access private subnets.
2. Ensure Lambda's subnets and RDS security groups allow inbound/outbound traffic.
3. VPC endpoints alone cannot bypass the need for Lambda to be in the VPC for private subnet access.
Answer
The correct answer is: B