Learn how to securely connect a Lambda function to an Aurora database in a private subnet of a VPC. Find out the best solution and why it works.
Question
A company has deployed infrastructure on AWS. A development team wants to create an AWS Lambda function that will retrieve data from an Amazon Aurora database. The Amazon Aurora database is in a private subnet in company’s VPC. The VPC is named VPC1. The data is relational in nature. The Lambda function needs to access the data securely.
Which solution will meet these requirements?
A. Create the Lambda function. Configure VPC1 access for the function. Attach a security group named SG1 to both the Lambda function and the database. Configure the security group inbound and outbound rules to allow TCP traffic on Port 3306. Most Voted
B. Create and launch a Lambda function in a new public subnet that is in a new VPC named VPC2. Create a peering connection between VPC1 and VPC2.
C. Create the Lambda function. Configure VPC1 access for the function. Assign a security group named SG1 to the Lambda function. Assign a second security group named SG2 to the database. Add an inbound rule to SG1 to allow TCP traffic from Port 3306.
D. Export the data from the Aurora database to Amazon S3. Create and launch a Lambda function in VPC1. Configure the Lambda function query the data from Amazon S3.
Answer
A. Create the Lambda function. Configure VPC1 access for the function. Attach a security group named SG1 to both the Lambda function and the database. Configure the security group inbound and outbound rules to allow TCP traffic on Port 3306. Most Voted
Explanation
The correct answer is A. Create the Lambda function. Configure VPC1 access for the function. Attach a security group named SG1 to both the Lambda function and the database. Configure the security group inbound and outbound rules to allow TCP traffic on Port 3306.
To create an AWS Lambda function that will retrieve data from an Amazon Aurora database in a private subnet of a VPC, the developer needs to configure the Lambda function to access the VPC and the database securely. AWS Lambda is a service that lets you run code without provisioning or managing servers. You can use Lambda to create serverless applications or to run code in response to events. Amazon Aurora is a fully managed relational database service that is compatible with MySQL and PostgreSQL. You can use Aurora to store and query relational data for your applications.
To use Lambda and Aurora to retrieve data from the database, the developer can follow these steps:
- Create a Lambda function and write the code that will query the database using the appropriate driver and connection string.
- Configure VPC1 access for the Lambda function by selecting the VPC, subnets, and security groups that the function will use. The Lambda function must be in the same VPC as the database, and in one or more private subnets that have a route to a NAT gateway or NAT instance. This allows the function to access the internet and AWS services.
- Attach a security group named SG1 to both the Lambda function and the database. A security group is a virtual firewall that controls the inbound and outbound traffic for your resources. The security group must allow TCP traffic on Port 3306, which is the default port for MySQL and PostgreSQL databases.
- Configure the security group inbound and outbound rules to allow TCP traffic on Port 3306. The inbound rules specify which sources can send traffic to your resources, and the outbound rules specify which destinations your resources can send traffic to. The developer can use the security group ID or IP address range of the Lambda function and the database as the source or destination for the rules.
This solution will meet the requirements because:
- It will allow the Lambda function to access the data securely from the Aurora database in a private subnet of a VPC.
- It will encrypt the data at rest and in transit using AWS Key Management Service (AWS KMS) keys, which provide security and encryption for your data.
- It will have minimal management overhead because it uses fully managed services that scale automatically with your workload.
Option B is incorrect because creating and launching a Lambda function in a new public subnet that is in a new VPC named VPC2 and creating a peering connection between VPC1 and VPC2 is not a secure or efficient solution. A public subnet is a subnet that has a route to an internet gateway, which allows it to access the internet. A peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. However, this solution has some drawbacks compared to option A, such as:
- It exposes the Lambda function to public internet access, which increases the risk of unauthorized access or attacks.
- It requires additional configuration and management of a new VPC, subnet, internet gateway, route table, and peering connection, which adds complexity and overhead.
- It incurs additional costs for data transfer between peered VPCs, which can increase your bill depending on your usage.
Option C is incorrect because assigning a security group named SG1 to the Lambda function and assigning a second security group named SG2 to the database and adding an inbound rule to SG1 to allow TCP traffic from Port 3306 is not a valid solution. The inbound rule should be added to SG2, not SG1, because SG2 controls which sources can send traffic to the database. Adding an inbound rule to SG1 will not affect the traffic from the Lambda function to the database.
Option D is incorrect because exporting the data from the Aurora database to Amazon S3 and creating and launching a Lambda function in VPC1 that queries the data from Amazon S3 is not an optimal solution. Amazon S3 is a service that provides object storage through a web services interface. You can use Amazon S3 to store any type of data, including relational data exported from Aurora. However, this solution has some disadvantages compared to option A, such as:
- It requires additional steps and costs to export and import data between Aurora and S3, which adds complexity and overhead.
- It does not provide real-time access to the data, but only to the snapshot of data at the time of export, which might result in stale or inconsistent data.
- It does not leverage the benefits of Aurora as a relational database service, such as high performance, availability, scalability, compatibility, and features.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
