Question

When I create an RDS, it seems to have an inbound source by default.

For example, like port: 5432, IP: 221.142.31.25/32.

As I understand, It means that the security group allows requests from the IP range(221.142.31.25/32) to access the port(5432).

Somehow It seems to allow my local to access the RDS as well without any additional inbound source representing my local.

In contrast to my local, when I try to have access to the RDS from Lambda, I have had to add inbound source 0.0.0.0/0, otherwise, the Lambda has returned a timeout error.

My question is...

1. What does the IP range(221.142.31.25/32) mean?

2. How does it allow my local to access the RDS?

3. Why does it deny Lambda but my local?

 

Answer 1

The better architecture would be:

• Configure the AWS Lambda function to connect to the VPC

• The Lambda function uses the DNS Name of the Amazon RDS instance, which will resolve to a local IP address within the VPC

• Add the CIDR range of the VPC (eg 192.168.0.0/16 or whatever it is) to the Security Group associated with the Amazon RDS instance. This will permit access from any resource within the VPC.

• It appears that you already have an inbound rule on the security group permitting access from your laptop, which seems to have an IP address of 221.142.31.25. Thus, the CIDR range would be 221.142.31.25/32.

The result will be that Lambda talks directly with RDS within the VPC, while your laptop comes in via the Internet.