Lambda connect to EC2+MySQL in different region

Hi everyone, first post here. I can’t wrap my head around regions, VPC, subnets and all the related configuration. This is what I’m trying to achieve.

  • I have a legacy production EC2 server that is running MySQL. It’s in the Northern California region.
  • I want to to use Lambda and API gateway to connect to my EC2 server. I have my Lambda functions in Oregon, a different region because I eventually want to use Cognito (not offered in N. Cali).

My Lambda function can’t seem to connect to the server. Mysql has networking enabled and I can connect to it remotely when I give explicit access to my local IP.

I need to know how to configure serverless.yml as well as how to configure the security group of my EC2 instance so that Lambda gets access to 3306. I imagine I need to put both into a VPC? This is all pretty abstract for me and I could use some pointers.

I’ve thought about moving my EC2 instance to Oregon (not sure exactly how yet, but it’s an option). I’d prefer not to, but if you guys think that’s going to save me a bunch in the long run, chime in.

Thanks everyone!

Hi in my example serverless.yml below I do something very similar to this. you may want to deploy your function into a VPC with NAT so that you can have static IPs for making connections to the DB security group.

Once you have your Lambda running from a VPC where it can get static external IP you will want to open your DBs security group up to this IP on your database.


Okay so the securityGroupIds are the security group of my EC2 instance? And the subnetIds are also of the EC2 instance?

And then after I deploy this, where do I find the static IP?

No, Security Groups are the security group assigned to the Lambda function, the subnets will also belong to the Lamdba function.

The IP would come from you NAT gateway on the VPC that the Lambda will live in.

Ah I think I understand now. Will give it a try. I was also looking into Peering Connections - do you think that could be a solution?

Yes a peering connection could also help here, but you’d still need to define Security groups and Subnets

Do I need to have an EIP for each subnet (there are 3)?

I our setup only the NATs have EIPs and everything in the VPC is in a private subnet and routed through the NAT. I don’t think there is another way for Lambda functions to have static IP addresses.

So I was finally able to make this work. I used Peering Connections and didn’t need to setup NATs or EIPs. I was able to reference my EC2 instance by private IP.

If you don’t need the NATs for other reasons, you might want to look into using Peering Connections.