AWS combining public accessible RDS with Lambdas accessing Internet?

Question

I have a VPC with 3 private and one public subnets. In the 3 private subnets i host the RDS and the Lambda functions. In the public subnet i host a NAT Gateway. The 3 private subnets point via a routing table to the NAT Gateway. Within this setup my Lambda functions successfully communicate with my RDS and the Internet, but I cannot access the RDS from my home computer as the NAT is blocking external access to the VPC. My question is now:

How do I let the Lambda functions access the RDS within the VPC and make the RDS public accessible from my computer at the same time?

P.S.: Until now I always have to change manually the routing of my 3 private subnets to the IGW to make the RDS accessible.

Answer 1

First a clarification: The NAT is not blocking external access to the VPC. A NAT Gateway simply provides Internet access to resources in your VPC that don't have public IP addresses. The NAT is unrelated to your being able to access the VPC externally. In fact you haven't done anything to allow external access yet.

You have the following options to access your RDS instance externally:

• Add a VPN server to your VPC, in the public subnet, which would allow you to connect to the RDS server after establishing a VPN connection.
• Move your RDS server to the public subnet and enable the "publicly accessible" flag, which would allow you to connect to the RDS server directly.
• Create a Linux Bastion Host in the public subnet, which would allow you to connect to the RDS server via SSH port forwarding.

In any of these scenarios, as long as the Lambda function and the RDS instance are in the same VPC, then the Lambda function will have access to the RDS instance. And as long as the Lambda function remains in the private subnet(s) with a NAT Gateway it will have Internet access.