Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For AWS DVA-C02 candidates, the confusion often lies in troubleshooting Lambda connectivity issues inside a VPC. In production, this is about knowing exactly how Lambda ENIs interact with security groups and the permissions needed to create ENIs. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
TechneCorp is developing a serverless application processing financial transactions. Their AWS Lambda function runs inside a VPC and needs to connect to an existing Amazon RDS for Microsoft SQL Server instance. The RDS database is deployed in a private subnet and only accepts connections on port 1433. When developers test the Lambda function in the development account, it fails to connect to the RDS instance, returning connection timeout errors.
The Requirement: #
Identify the correct steps so developers can diagnose and resolve the connectivity problem between the Lambda function running inside the VPC and the private RDS SQL Server instance.
The Options: #
-
A) Verify that the Lambda function’s security group has outbound rules allowing port 1433 to the RDS instance’s security group. Verify that the RDS instance’s security group has inbound rules allowing port 1433 from the Lambda function’s security group.
-
B) Verify that the Lambda function’s security group has inbound rules allowing port 1433 from the RDS instance’s security group. Verify that the RDS instance’s security group has outbound rules allowing port 1433 to the Lambda function’s security group.
-
C) Verify that the VPC has a NAT gateway configured. Verify that the RDS instance is set to Publicly Accessible.
-
D) Verify that the Lambda function’s execution role has permissions for rds:DescribeDBInstances, rds:ModifyDBInstance, and rds:DescribeDBSecurityGroups.
-
E) Verify that the Lambda function’s execution role has permissions for ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, and ec2:DeleteNetworkInterface.
Google adsense #
leave a comment:
Correct Answer #
A and E
Quick Insight: The Developer Imperative #
For developers troubleshooting Lambda in VPCs, understanding security group connectivity rules and the IAM permissions required for Lambda to manage ENIs is critical. Without outbound access to the DB port and the right EC2 network interface permissions, Lambda cannot establish and maintain network connectivity to private RDS instances.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Options A and E
The Winning Logic #
-
Option A:
The primary network-level connectivity between Lambda and RDS depends on security group rules. The Lambda function’s security group must allow outbound traffic on port 1433 directed to the RDS instance’s security group, while the RDS instance’s security group must permit inbound traffic on port 1433 from the Lambda function’s security group. Because both Lambda and RDS are associated with security groups, these rules control the traffic flow within the VPC. Without correctly configured security groups, network connectivity fails silently with timeouts. -
Option E:
When a Lambda function runs inside a VPC, AWS creates Elastic Network Interfaces (ENIs) in your subnets for the function’s access. The Lambda execution role must have IAM permissions to create (ec2:CreateNetworkInterface), describe (ec2:DescribeNetworkInterfaces), and delete (ec2:DeleteNetworkInterface) these ENIs. Missing these permissions will prevent Lambda from attaching to the VPC network, causing failures even before security groups come into play.
The Trap (Distractor Analysis): #
-
Why not Option B?
Inbound rules on the Lambda function’s security group for port 1433 are unnecessary here because Lambda initiates the outbound connection to RDS. Likewise, the RDS instance typically does not require an outbound rule for port 1433 back to Lambda. Outbound traffic is allowed by default on most security groups, and RDS does not initiate requests to Lambda on this port. -
Why not Option C?
A NAT gateway and public accessibility of the RDS instance are unrelated to internal VPC connectivity between Lambda and a private subnet RDS. NAT gateways enable internet-bound traffic from private subnets but do not affect direct connectivity to private RDS within the VPC. -
Why not Option D?
The Lambda function’s execution role does not require RDS-specific descriptive or modification permissions just to establish network connectivity. Those permissions are for managing the database instance, not for enabling network interfaces or connectivity.
The Technical Blueprint #
Relevant IAM Policy Snippet for Lambda Execution Role #
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
The Comparative Analysis #
| Option | API Complexity | Performance Impact | Use Case |
|---|---|---|---|
| A | Low | Critical | Ensures network-level connectivity |
| B | Low | Unnecessary | Incorrect inbound/outbound rule usage |
| C | Medium | Irrelevant | Misapplies public access & NAT logic |
| D | Medium | Irrelevant | Unnecessary IAM permissions for this issue |
| E | Medium | Critical | Required IAM permissions for Lambda ENIs |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick security group rule validation and IAM permissions for Lambda ENIs when diagnosing Lambda VPC network issues.
Real World #
In production, it’s common to also verify subnet routing tables and use VPC Flow Logs to confirm traffic flow — but exam questions rarely go this deep for the Associate Developer exam.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.