AWS Amplify in a VPC: Connecting to RDS and Private Resources

AWS Amplify is often praised for its "Serverless" simplicity, but for enterprise applications, "Serverless" doesn't mean "No Networking." Nearly every serious application eventually needs to connect to an Amazon RDS database or a private microservice residing within a Virtual Private Cloud (VPC).

By default, Amplify's backend (Lambda functions) runs in a managed service environment outside your VPC. If your database is tucked away in a private subnet for security, Amplify can't see it—unless you bridge the gap.

In this guide, we’ll look at how to architect Amplify Gen 2 for VPC connectivity.

1. The Core Architecture: VPC Lambda Attachment

To get your Amplify backend to "talk" to your VPC, you must attach your Lambda functions to specific subnets within that VPC.

When a Lambda is VPC-attached:

1. It is assigned an Elastic Network Interface (ENI) from your subnet’s IP pool.
2. It gains a private IP address within that subnet.
3. It obeys the Security Group rules of that VPC.

Security Group Checklist

For a Lambda to talk to RDS:

• Outbound (Lambda SG): Allow TCP egress on the database port (e.g., 5432 for Postgres) to the RDS Security Group.
• Inbound (RDS SG): Allow TCP ingress on the database port from the Lambda’s Security Group.

2. The Private Subnet Catch: Internet Access

This is where most engineers get stuck. When you attach a Lambda to a VPC, it loses its default access to the public internet.

If your Lambda needs to call an external API (like Stripe or Twilio), or even talk to other AWS services like S3 (without a VPC Endpoint), you have two choices:

1. The Expensive Way (NAT Gateway): Route your private subnet traffic through a NAT Gateway in a public subnet. Warning: NAT Gateways cost ~$32/month + data processing fees.
2. The Efficient Way (VPC Endpoints): Use Interface VPC Endpoints (PrivateLink) for specific AWS services. This is often cheaper and more secure than a NAT Gateway if you only need to talk to AWS services.

3. Amplify Gen 2 Implementation

In Amplify Gen 2, networking is defined in your amplify/backend.ts using CDK overrides. Because defineFunction doesn't currently expose full VPC props, we leverage the backend object to reach into the underlying CloudFormation resource.

1import { defineBackend } from '@aws-amplify/backend';
2import { auth } from './auth/resource';
3import { data } from './data/resource';
4import { myVpcLambda } from './functions/my-vpc-lambda/resource';
5import * as ec2 from 'aws-cdk-lib/aws-ec2';
6
7const backend = defineBackend({
8  auth,
9  data,
10  myVpcLambda
11});
12
13// Reference an existing VPC
14const vpc = ec2.Vpc.fromLookup(backend.myVpcLambda.resources.lambda.stack, 'ExternalVpc', {
15  vpcId: 'vpc-12345678'
16});
17
18// Apply VPC configuration to the Lambda function
19const lambdaFunc = backend.myVpcLambda.resources.lambda;
20lambdaFunc.addVpcConfiguration({
21  vpc,
22  vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
23  securityGroups: [
24    ec2.SecurityGroup.fromSecurityGroupId(lambdaFunc.stack, 'LambdaSG', 'sg-87654321')
25  ]
26});

4. Connecting to RDS: Proxy vs. Direct

If you are using AWS Lambda to talk to RDS, you should almost always use an RDS Proxy.

• Connection Pooling: Lambda scales out fast and can easily exhaust the connection limit of a small RDS instance. RDS Proxy pools these connections for you.
• IAM Auth: RDS Proxy supports IAM authentication, meaning you don't have to manage database passwords inside your Lambda environment variables.

Amplify Data Integration

Amplify Data (AppSync) can now connect directly to RDS using the a.sql() command, which handles much of the boilerplate Lambda generation for you. However, you still need to ensure the VPC secrets (db host, port, user) are correctly mapped in AWS Secrets Manager.

5. Summary and Best Practices

1. Least Privilege: Only attach Lambdas to a VPC if they actually need to reach private resources.
2. Availability Zones: Always select multiple subnets (at least two) across different AZs to avoid a single point of failure.
3. Monitor ENI Limits: If your Lambda scales to thousands of concurrent executions, ensure your subnet has enough IP addresses available for the ENIs.
4. Use CDK for Clean Netops: Don't manually click around the console. Define your VPC logic in backend.ts so it’s reproducible across dev, staging, and prod.

Struggling with complex AWS networking or VPC routing for your Amplify apps? Book a consultation with our Cloud Architects. We specialize in bridging the gap between frontend simplicity and enterprise infrastructure.