24

I'm not very good with networking, but here is my issue: I need to connect to MySQL server from AWS lambda function, that is behind firewall, and to 'white' my AWS lambda i need to know what IP it uses.

As i understand, it varies depending on VPC subnet. Is it right, that if my VPC subnet CIDR is 172.31.16.0/20, IP may vary from 172.31.16.0 to 172.31.16.254 ?

Improve this question
5
  • Don't use IP, use security groups. aws.amazon.com/blogs/aws/… Commented Jun 8, 2016 at 15:02
  • 1
    Are you planning to use AWS RDS or MYSQL Server on EC2 instance? Commented Jun 8, 2016 at 15:04
  • The VPC subnet will only matter if the MySQL server you are trying to connect to is also in the VPC. And if the MySQL server is also in the VPC then you should be using security groups instead of IP addresses anyway. Commented Jun 8, 2016 at 15:09
  • 1
    MySQL server is not even on AWS ;/ Is it even possible to know IP then? Or maybe any ideas on how i can limit access from AWS lambda to MySQL? Commented Jun 8, 2016 at 15:17
  • 1
    If the MySQL server isn't on AWS the requests are going to come from Amazon's public IP range, which is many millions of potential IPs. Commented Jun 8, 2016 at 16:28

2 Answers 2

Reset to default
20

You have an MySQL instance that is not on AWS infrastructure. You want to limit access to the the MySQL instance by the IP of the Lambda function to your on-premise instance. You can only use a local firewall to secure the instance.

Since your use case requires internet access from Lambda to your MySQL instance on the public internet, you will need to configure a NAT gateway for your Lambda function to access the internet.:

if your Lambda function requires Internet access..., you can configure a NAT instance inside your VPC or you can use the Amazon VPC NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide.

Using a NAT Gateway configuration allows your Lambda requests to come from the fixed IP of the NAT Gateway. If you assign and Elastic IP Number to the NAT Gateway here, you can then specify that IP/port combination on your firewall to secure access to your on-premise SQL instance.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

"Since your use case requires internet access from Lambda to your MySQL instance on the public internet, you will need to configure a NAT gateway for your Lambda function to access the internet" isn't entirely true. The Lambda function would normally have access to the internet if it didn't have VPC access enabled. I agree though that enabling VPC access, and forcing internet traffic through a NAT is the best way to apply an IP address restriction to a Lambda function.
Or a NAT instance, of course. This or a gateway are the only ways to originate Lambda traffic from a known, fixed, public IP address that isn't from a pool of public IP addresses shared by other accounts, so +1.
Thanks a lot! This is what i was looking exactly!
0

The IP addresses in the 172.31.16.0/20 are private, non-routable addresses. Unless your MySQL server and firewall are in the same VPC, your Lambda will only be able to connect through NAT and will use the elastic IP attached to your NAT Gateway. That's the only IP address you need to whitelist.

Incidentally, for a CIDR of 172.31.16.0/20, you can expect IP addresses from 172.31.16.0 to 172.31.31.255. The 20 is the number of mask bits which gives a range of 4096 values. It maps to a netmask of 255.255.240.0.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.