Allow access to RDS instance from EC2 instance on same VPC

amazon-rdsamazon-web-services

I am having trouble gaining access to a MySQL RDS instance.

I am trying to connect to the RDS instance from an EC2 instance. Both the RDS instance and the EC2 instance are contained within the same VPC, myVPC. I have confirmed this by checking that VPC listed under the RDS instance and the RC2 instance matches.

Most of the questions about this issue that I found revolved around security groups. Many users had this difficulty and their problem was resolved by ensuring that the VPC security group associated with the RDS instance was the same as for their EC2 instance. In my case, both instances are on the same VPC and using the same security group. Within this security group, I have a rule that allows all inbound traffic across the full range of IPs of my VPC (ex, 172.35.0.0/16). In an attempt to get this working at all, I've allowed ALL traffic accross all ports from all IP addresses for this security group. This still has not worked.

Some reading of the documentation suggests that one should ensure that your subnets are associated with the same routing table used by your VPC. I've done this by going to the route table associated all subnets within myVPC with this routing table.

I have also tried it with and without an elastic IP. I am able to connect to my EC2 instance with the elastic IP address.

I realize that this question is asked quite a lot. As of yet, I haven't come accross one whose solution has solved my problem.

Edited: Adds more details of security settings
Both the ec2 instance and RDS use the same security group.
Within that security group is a line that says something like

MYSQL TCP 3306 172.35.0.0/16 My CIDR range

I added

MYSQL TCP 3306 172.35.0.1/32 My ec2 instance private IP

None of the above worked.

What DID work was under my network ACL settings I changed a line from

1 MySQL(3306) TCP(6) 3306 172.35.0.1/32 ALLOW

1 ALL TRAFFIC ALL ALL 0.0.0.0/32 ALLOW

So my problem has been worked out, but now I have another question. How can I avoid having 3306 open to all inbound connections. I may post this as a new question and link here.

Best Answer

I had this issue myself a couple of weeks ago. In my case, I had forgotten to allow outbound traffic on port 3306 for my EC2 instance to the VPC CIDR. Try adding an outbound rule to your EC2 instance security group looking something like this:

Type    Protocol    Port Range    Destination
MYSQL   TCP         3306          172.35.0.0/16

Related Solutions

Can’t Connect to EC2 Instance in VPC – Troubleshooting Guide

To communicate outside of the VPC, each non-default subnet needs a routing table and an internet gateway associated to it (the default subnets get an external gateway and a routing table by default).

Depending on the way you have created public subnet in the VPC, you might need to explicitly add them additionally. Your VPC setup sounds like it matches Scenario 1 - a private cloud (VPC) with a single public subnet, and an Internet gateway to enable communication over the Internet from the AWS VPC documentation.

You will need to add an internet gateway to your VPC and inside the Public subnet's routing table assign 0.0.0.0/0 (default route) to go to the assigned internet gateway. There is a nice illustration of the exact network topology inside the documentation.

Also, for more information, you can check the VPC Internet Gateway AWS documentation. Unfortunately it's a little messy and a non-obvious gotcha.

For more details about connection issues, see also: Troubleshooting Connecting to Your Instance.

EC2 cannot connect to RDS on VPC. Subnet issues

Since RDS requires you to have two availability zones when deploying in a VPC, you need to make sure that beanstalk is able to get to both of them via Network ACLs as well as the permissions for the instance based security groups.

Only your ELB and your NAT instance/NAT gateway need to be public subnets, everything else should be in private subnets.

Security groups are stateful and network groups are stateless so while you only need to allow inbound rules for the security groups, you need to allow BOTH inbound and outbound ports from your beanstalk subnet to both RDS subnets using Network ACLs. See Security in Your VPC.

Here is a sample eb create to create the beanstalk environment (replace square bracketed strings):

eb create [BEANSTALK_ENVIRONMENT] --instance_type m3.medium --branch_default --cname [BEANSTALK_CNAME] --database --database.engine postgres --database.version [x] --database.size 100 --database.instance db.m4.large --database.password xxxxxxxxx --database.username ebroot --instance_profile [BEANSTALK_EC2_IAM_PROFILE] --keyname [SSH_KEY_NAME] --platform "64bit Amazon Linux 2015.03 v1.3.0 running Ruby 2.2" --region us-east-1 --tags tag1=value1,tag2=value2 --tier webserver --verbose --sample --vpc.id [vpc-xxxxxx] --vpc.dbsubnets [subnet-db000001,subnet-db000002] --vpc.ec2subnets [subnet-ec200001] --vpc.elbsubnets [subnet-elb00001] --vpc.elbpublic --vpc.securitygroups [sg-00000001] --sample --timeout 3600

subnet-db000001 NETWORK ACL RULES:

Inbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow

subnet-db000002 NETWORK ACL RULES:

Inbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow

subnet-ec200001 NETWORK ACL RULES:

Inbound: Port Range: 5432, Source [subnet-db000001 (as ip range)], Allow
Inbound: Port Range: 5432, Source [subnet-db000002 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-db000001 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-db000002 (as ip range)], Allow

subnet-elb00001 NETWORK ACL RULES:

Inbound: Port Range: 80, Source 0.0.0.0/0, Allow
Inbound: Port Range: 443, Source 0.0.0.0/0, Allow
Outbound: Port Range: 80, Source 0.0.0.0/0, Allow
Outbound: Port Range: 443, Source 0.0.0.0/0, Allow

An additional note about Network ACLs -- many services don't respond on the original port but use an ephemeral port. So you may have to add the following to the inbound AND outbound network ACLs for subnets with EC2 instances:

Outbound: Port Range: 1024-65535, Source 0.0.0.0/0, Allow
Outbound: Port Range: 1024-65535, Source 0.0.0.0/0, Allow

There are also several useful scenarios in Recommended Network ACL Rules for Your VPC.

I hope this helps.

Best Answer

Related Solutions

Can’t Connect to EC2 Instance in VPC – Troubleshooting Guide

EC2 cannot connect to RDS on VPC. Subnet issues

Related Topic