Question #629
A developer creates a VPC named VPC-X that has public and private subnets. The developer deploys an Amazon RDS database inside the private subnet of VPC-X. To access this database, the developer configures an AWS Lambda function in the private subnet of a different VPC, VPC-Y. When the Lambda function is executed, it fails to connect to the RDS database. What should the developer do to resolve this issue?
Modify the RDS security group to allow all traffic from the VPC-Y CIDR block.
Redeploy the Lambda function in the same VPC-X private subnet as the RDS instance and update the RDS security group to permit traffic from the Lambda function's security group.
Establish a VPC peering connection between VPC-X and VPC-Y, update the route tables, and configure the RDS security group to allow traffic from VPC-Y's CIDR.
Create an IAM policy granting RDS access and attach it to the Lambda function's execution role.
Explanation
The correct answer is B. Lambda functions deployed in a VPC require network connectivity to resources in another VPC. Since the RDS database is in VPC-X's private subnet, the Lambda function must also be in VPC-X to communicate directly without requiring VPC peering. Security groups must allow traffic from the Lambda's security group to the RDS instance.
Why other options are incorrect:
- A: Allowing VPC-Y's CIDR in the RDS security group doesn't resolve the lack of routing between VPCs.
- C: While VPC peering could work, it adds unnecessary complexity compared to deploying Lambda in the same VPC.
- D: IAM policies control API permissions, not network access.
Key Points:
1. Lambda must be in the same VPC as RDS for direct network access.
2. Security groups should reference each other (not CIDR blocks) for least-privilege access.
3. VPC peering is not required if resources are in the same VPC.
Answer
The correct answer is: B