it seems impossible to create a RDS subnet group without using private subnets.. which, when created with CDK, require NAT gateways. 😕 if I try “isolated” subnet types, then I can’t create the

rds.SubnetGroup

:

There are no 'Private' subnet groups in this VPC. Available types: Isolated,Public

it is NOT required to have NAT gateways. am I missing something? I have an existing setup in another account that works perfectly with a DB subnet group of private subnets, and there are no NAT gateways. EDIT: does my RDS DB even need to be in a VPC? 🤔 I must’ve configured it that way before for some good reason. can Lambdas not access the DB otherwise?

lemme answer with what i know 🤓: • RDS has to be in VPC • u need to deploy the lambdas in the same VPC to talk to it • yup NAT gateways not required

But I also think RDS can be in the default VPC which behaves differently to a customer created VPC in that it resources inside it don’t need NAT Gateways and Internet Gateways to get out to the Internet. I think, If it is deployed in a custom VPC then you can set up VPC Peering between that and the default VPC to allow comms between the them. I'm looking to experiment with this soon so can feedback what I find.

@Frank I think if you use the RDS Data API, the VPC requirement doesn't apply. I'll do some testing

Yup, thats true!

Still, seems a little shady that CDK requires a NAT Gateway whenever you define private subnets and try to use them in a DB subnet group. NATG is not necessary

It's worse than that. Any time you want to get out to the Internet from inside a VPC you need one and they cost by the hour and by the in/out megabyte. If you want redundancy, you need two of the buggers

Yep. In other words, people new to AWS and CDK could unwittingly be charged $90/month for something they may not need. I opened an issue about it

Our setup is Aurora Serverless in Isolated VPC and it works without having a NAT gateway:

const vpc = new ec2.Vpc(this, 'VPC', {
      cidr: '10.0.0.0/16',
      // Use all AZs in a region
      maxAzs: 99,
      // For now we don't need NAT or DNS hostnames,
      // if we add private/public subnets we'll need to change this
      natGateways: 0,
      enableDnsHostnames: false,
      enableDnsSupport: false,
      subnetConfiguration: [
        {
          cidrMask: 26,
          name: 'database',
          // No NAT Gateway (i.e. no internet access from this subnet)
          subnetType: ec2.SubnetType.ISOLATED,
        },
      ],
    });

    const cluster = new rds.ServerlessCluster(this, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
      parameterGroup: rds.ParameterGroup.fromParameterGroupName(
        this,
        'ParameterGroup',
        'default.aurora-postgresql10'
      ),
      vpc,
      vpcSubnets: {
        subnetType: SubnetType.ISOLATED,
      },
      backupRetention: env.database.backupRetention,
      removalPolicy: env.database.removalPolicy,
      scaling: {
        autoPause: env.database.scalingAutoPause,
        minCapacity: env.database.scalingMinCapacity,
        maxCapacity: env.database.scalingMaxCapacity,
      },
      defaultDatabaseName: this.databaseName,
      enableDataApi: true,
    });

(or at least I think we don't have a NAT gateway 🤣 )

@Akos hmm. weird.. for my definition, it wouldn’t work. and I’m not sure how you avoided certain properties, like

bindToCluster

- see my code here: https://github.com/aws/aws-cdk/issues/929#issuecomment-894580874