I have an Amazon RDS instance set up in the 'classic' EC2 (no VPC.)
I also have a VPC set up that holds our newer, migrated applications and such.
However, it would seem that there is no way to specify a combination of either CIDR or EC2 security groups in the DB Security Groups that will allow my VPC instances to connect. The allowed security groups are only the 'classic' security groups.
I cannot find any documentation that suggests this is not doable, but I cannot find any documentation in the affirmative, either. Googling lands on a lot of results the 'other way', e.g. RDS instances in VPC and instances in EC2. I have the opposite problem.
Am I looking at a point-in-time restore to a new instance(s) in VPC to get connectivity to work? I understand I can maintain a public availability requirement that I have, but I would like to simply allow my VPC instances to connect for the time being.
Best Answer
If your VPC EC2 instances are in private subnets, then to access EC2-Classic, your VPC will need a NAT. Give your NAT an elastic IP address so it's a constant public IP address.
Then in your RDS security group, allow access only for that Elastic IP address.
If your VPC EC2 instances are in public subnets, then you could give each of them elastic IP addresses and allow access to only those IP addresses in your RDS security group. This is more difficult if they are part of auto-scaling groups.