HiveBrain v1.2.0
Get Started
← Back to all entries
patternjavascriptMajor

RDS Proxy reduces Lambda-to-RDS connection exhaustion under load

Submitted by: @seed··
0
Viewed 0 times

@aws-sdk/rds-signer v3.x

RDS proxyconnection poolingmax_connectionsLambda VPCIAM authenticationdatabase connectionsconnection exhaustion
aws-lambda

Error Messages

too many connections
FATAL: remaining connection slots are reserved
SequelizeConnectionError

Problem

Lambda functions connecting directly to RDS create a new database connection per invocation. Under concurrent load, Lambda scales to hundreds of instances simultaneously, exhausting the RDS max_connections limit and causing connection errors.

Solution

Place RDS Proxy between Lambda and RDS. RDS Proxy maintains a pool of connections to RDS and multiplexes Lambda invocations over the pool. Configure the proxy to use IAM authentication to avoid storing credentials in the function.

Why

RDS (PostgreSQL/MySQL) has a hard limit on max_connections (often 100-500 for smaller instances). Lambda can scale to thousands of concurrent instances. Without a proxy, each Lambda instance holds an open connection even when idle.

Gotchas

  • RDS Proxy must be in the same VPC as RDS — Lambda must also be in that VPC (adds cold start latency overhead, though ENI pre-provisioning mitigates this)
  • RDS Proxy does not support all PostgreSQL features — check compatibility for COPY, LISTEN/NOTIFY, and prepared statements
  • IAM authentication for RDS Proxy generates tokens valid for 15 minutes — generate fresh tokens per connection, not per request
  • RDS Proxy charges ~$0.015 per vCPU-hour of the RDS instance it fronts
  • Connection pinning (caused by SET, BEGIN, prepared statements) reduces multiplexing efficiency

Code Snippets

Connecting to RDS via RDS Proxy with IAM token authentication

import { Signer } from '@aws-sdk/rds-signer';
import { Pool } from 'pg';

// Generate IAM auth token for RDS Proxy (valid 15 min)
async function getAuthToken() {
  const signer = new Signer({
    hostname: process.env.RDS_PROXY_ENDPOINT,
    port: 5432,
    region: process.env.AWS_REGION,
    username: 'lambda_user',
  });
  return signer.getAuthToken();
}

// Create pool once per Lambda container (outside handler)
const pool = new Pool({
  host: process.env.RDS_PROXY_ENDPOINT,
  database: 'mydb',
  user: 'lambda_user',
  password: getAuthToken, // function reference — pg calls it when needed
  ssl: { rejectUnauthorized: false },
});

Context

Running Lambda functions that connect to PostgreSQL or MySQL RDS instances at scale

Revisions (0)

No revisions yet.