I am quite new to Elastic Beanstalk and not very proficient with server administration, but I need to set up a Django project on Elastic Beanstalk connecting to external RDS MySQL database.
I have created a separate RDS MySQL database and I can connect to it using Sequel Pro on my computer without problems. Then I have my Django project which I try to put to Elastic Beanstalk, but unfortunately without luck. If I run the local Django server from my computer, the project is browsable and Amazon RDS MySQL is accessible. However, when I run
eb deploy
I get
django.db.utils.OperationalError: (2003, "Can't connect to MySQL server
on 'myapp-staging.xxx.eu-west-1.rds.amazonaws.com' (110)")
(ElasticBeanstalk::ExternalInvocationError)
If I login to the EC2 server via SSH
eb ssh
and then check the open ports with
netstat -lntu
I don't see MySQL's port 3306 there, so I guess it is blocked by firewall.
This is what I tried regarding permissions:
- I went to RDS Dashboard -> Security Groups and created myapp-mysql-security-group with EC2 Security Group connection type pointing to EC2 security group used by Elastic Beanstalk EC2 instance “awseb-e-…”.
- I went to EC2 -> Security Groups and for “awseb-e-…” I set the Inbound MySQL port with source 0.0.0.0/0
- I went to VPC Dashboard -> Security Groups and created myapp-mysql-security-group with Inbound Rules of MySQL port with source 0.0.0.0/0.
Then I tried to redeploy, restart servers and even rebuild environment, but nothing helped. The MySQL port 3306 is still not open in the EC2 instances created by Elastic Beanstalk.
What am I doing wrong or what is missing?
Best Answer
There seemed to be two missing points in the configuration:
I had to recreate the Elastic Beanstalk environment to be inside of the same Virtual Private Cloud (VPC) as the RDS database. This can be done by:
and then answering some questions like what is the VPC id.
I had to enter VPC CIDR (IP) to the allowed incoming connections for MySQL for "rds-launch-wizard" security group:
a) Go to VPC Dashboard -> Your VPCs and copy VPC CIDR.
b) Go to VPC Dashboard -> Security Groups and select the "rds-launch-wizard" group, then edit the Inbound Rules and add this rule: