Permissions for EC2 created by Elastic Beanstalk connecting to external RDS

amazon-rdsamazon-web-serviceselastic-beanstalkpermissions

I am quite new to Elastic Beanstalk and not very proficient with server administration, but I need to set up a Django project on Elastic Beanstalk connecting to external RDS MySQL database.

I have created a separate RDS MySQL database and I can connect to it using Sequel Pro on my computer without problems. Then I have my Django project which I try to put to Elastic Beanstalk, but unfortunately without luck. If I run the local Django server from my computer, the project is browsable and Amazon RDS MySQL is accessible. However, when I run

eb deploy

I get

django.db.utils.OperationalError: (2003, "Can't connect to MySQL server
on 'myapp-staging.xxx.eu-west-1.rds.amazonaws.com' (110)")
(ElasticBeanstalk::ExternalInvocationError)

If I login to the EC2 server via SSH

eb ssh

and then check the open ports with

netstat -lntu

I don't see MySQL's port 3306 there, so I guess it is blocked by firewall.

This is what I tried regarding permissions:

I went to RDS Dashboard -> Security Groups and created myapp-mysql-security-group with EC2 Security Group connection type pointing to EC2 security group used by Elastic Beanstalk EC2 instance “awseb-e-…”.
I went to EC2 -> Security Groups and for “awseb-e-…” I set the Inbound MySQL port with source 0.0.0.0/0
I went to VPC Dashboard -> Security Groups and created myapp-mysql-security-group with Inbound Rules of MySQL port with source 0.0.0.0/0.

Then I tried to redeploy, restart servers and even rebuild environment, but nothing helped. The MySQL port 3306 is still not open in the EC2 instances created by Elastic Beanstalk.

What am I doing wrong or what is missing?

Best Answer

There seemed to be two missing points in the configuration:

I had to recreate the Elastic Beanstalk environment to be inside of the same Virtual Private Cloud (VPC) as the RDS database. This can be done by:
```
eb create myapp-staging --vpc
```

and then answering some questions like what is the VPC id.

I had to enter VPC CIDR (IP) to the allowed incoming connections for MySQL for "rds-launch-wizard" security group:

a) Go to VPC Dashboard -> Your VPCs and copy VPC CIDR.

b) Go to VPC Dashboard -> Security Groups and select the "rds-launch-wizard" group, then edit the Inbound Rules and add this rule:
```
MySQL/Aurora (3306) | TCP (6) | 3306 | <VPC CIDR here>
```

Related Solutions

Open ports between Elastic Beanstalk and one EC2 instance on AWS

I figured out the problem that was occurring. Apparently, you can't use the public IP when specifying the security group of the Elastic Beanstalk application. Using a private IP seems to be working just fine. Seems like using the Public DNS returns the private IP when using it in the EC2 instance. So instead of trying to connect to the Elastic IP, I'm now connecting to the Public DNS, which works just fine.

EC2 cannot connect to RDS on VPC. Subnet issues

Since RDS requires you to have two availability zones when deploying in a VPC, you need to make sure that beanstalk is able to get to both of them via Network ACLs as well as the permissions for the instance based security groups.

Only your ELB and your NAT instance/NAT gateway need to be public subnets, everything else should be in private subnets.

Security groups are stateful and network groups are stateless so while you only need to allow inbound rules for the security groups, you need to allow BOTH inbound and outbound ports from your beanstalk subnet to both RDS subnets using Network ACLs. See Security in Your VPC.

Here is a sample eb create to create the beanstalk environment (replace square bracketed strings):

eb create [BEANSTALK_ENVIRONMENT] --instance_type m3.medium --branch_default --cname [BEANSTALK_CNAME] --database --database.engine postgres --database.version [x] --database.size 100 --database.instance db.m4.large --database.password xxxxxxxxx --database.username ebroot --instance_profile [BEANSTALK_EC2_IAM_PROFILE] --keyname [SSH_KEY_NAME] --platform "64bit Amazon Linux 2015.03 v1.3.0 running Ruby 2.2" --region us-east-1 --tags tag1=value1,tag2=value2 --tier webserver --verbose --sample --vpc.id [vpc-xxxxxx] --vpc.dbsubnets [subnet-db000001,subnet-db000002] --vpc.ec2subnets [subnet-ec200001] --vpc.elbsubnets [subnet-elb00001] --vpc.elbpublic --vpc.securitygroups [sg-00000001] --sample --timeout 3600

subnet-db000001 NETWORK ACL RULES:

Inbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow

subnet-db000002 NETWORK ACL RULES:

Inbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-ec200001 (as ip range)], Allow

subnet-ec200001 NETWORK ACL RULES:

Inbound: Port Range: 5432, Source [subnet-db000001 (as ip range)], Allow
Inbound: Port Range: 5432, Source [subnet-db000002 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-db000001 (as ip range)], Allow
Outbound: Port Range: 5432, Source [subnet-db000002 (as ip range)], Allow

subnet-elb00001 NETWORK ACL RULES:

Inbound: Port Range: 80, Source 0.0.0.0/0, Allow
Inbound: Port Range: 443, Source 0.0.0.0/0, Allow
Outbound: Port Range: 80, Source 0.0.0.0/0, Allow
Outbound: Port Range: 443, Source 0.0.0.0/0, Allow

An additional note about Network ACLs -- many services don't respond on the original port but use an ephemeral port. So you may have to add the following to the inbound AND outbound network ACLs for subnets with EC2 instances:

Outbound: Port Range: 1024-65535, Source 0.0.0.0/0, Allow
Outbound: Port Range: 1024-65535, Source 0.0.0.0/0, Allow

There are also several useful scenarios in Recommended Network ACL Rules for Your VPC.

I hope this helps.

Best Answer

Related Solutions

Open ports between Elastic Beanstalk and one EC2 instance on AWS

EC2 cannot connect to RDS on VPC. Subnet issues

Related Topic