0

I have a step function that is running in an AWS account that connects into an RDS database in another account.

I need to reduce the scope of the RDS security group rule but I can find the external IP the function is using to connect to the DB. I was not the one who developed that, so searching in the code looks like it's connecting using psycopg2 in one of the steps of the workflow.

I already checked the NAT Gateway, but the account where step function is executing, does not have one enabled.

Also checked elastic ips but there's no elastic IP attached to the step function.

Any of you know how can I find out the external IP of that step function or the lambdas that are running behind that?

Thank you

Improve this question
4
  • AFAIK you don' control that IP and I doubt you can do low level commands like open a bash programmatically os something similar. This rationale got me to this other question that is related with your need stackoverflow.com/questions/61902711/… Commented Dec 17, 2024 at 18:32
  • What I know is that if I allow only the IP's I know in the RDS SG, the step function starts to fail. As I mentioned, the step function is running in a different account from which the RDS Database is. So looks like the connection is coming from the internet. Commented Dec 17, 2024 at 18:47
  • 1
    It’ll be part of whatever external IPs AWS has for the region executing the step function. Don’t try to use the range for security as it could suddenly change (although they are published). If you can control the SF you could add to that caller via lambda to a vpc and enable Nat as you saw? Commented Dec 17, 2024 at 19:54
  • Yeah, just noticed that I can attach the lambda to a VPC. I'll do that and enable the NAT gateway, I'll let you know if it works @Tobin. Thanks! Commented Dec 17, 2024 at 23:56

1 Answer 1

Reset to default
0

Your question title is confusing. The Lambda function is the thing making the external connection, not the Step Functions service. You actually need to provide a static IP to the Lambda functions. They happen to be invoked by the Step Function service, but the solution is the same regardless of how the Lambda functions are invoked.

To provide the Lambda functions a static IP you would configure the Lambda function to deploy into private subnets of a VPC. You would add a NAT gateway to one of the public subnets of the VPC, and assign an Elastic IP to the NAT Gateway. You would ensure that the private subnets of the VPC have a route to the NAT Gateway, so that all outbound traffic in those private subnets get routed to the NAT Gateway. Then all outbound traffic generated by the Lambda functions will have the Elastic IP's IP address.

Alternatively, since the Lambdas need to connect to RDS in another AWS account, another solution would be to deploy the Lambdas to a VPC, and enable VPC Peering between the two VPCs in the different AWS Accounts.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.