Run the Lambda in the VPC using private subnets and Reference the Lambda security group in the Aurora security group on the DB port together provide private, least-operational-overhead connectivity. Attaching the function to the VPC ensures all traffic uses VPC ENIs in private subnets, and the security-group reference grants precise inbound access on the database port without exposing the cluster. The option Create an interface VPC endpoint for Amazon RDS is incorrect because interface endpoints cover the RDS control-plane API, not the data-plane DB connections. Enable private DNS on the Aurora endpoint does not establish routing or permissions and therefore doesn’t by itself enable connectivity. Use Amazon RDS Proxy and connect to the proxy endpoint is unnecessary for basic private access and adds administrative overhead. It still requires the same VPC and security group configuration. When you see a requirement for VPC-only access from Lambda to a database, think attach Lambda to the VPC and security group referencing. Avoid answers that introduce the public internet, NAT, or unnecessary services like PrivateLink for DB data-plane or RDS Proxy unless there is a clear need (e.g., connection pooling).