3

I have a question about EC2 and RDS instances.

I'd like to restrict connection to the database only from one particular EC2 instance using MySQL users.

Security groups allow MySQL communication from EC2 instances to the RDS instances.

The situation is as follow:

  • An EC2 instance in the security group ec2_instances
  • An RDS instance in the security group rds_instances
  • An admin user on the RDS instance with the following config: 'admin'@'%'

I'd like to create a MySQL user to restrict only the DNS name of a particular EC2 instance.

I've created some users named:

  • 'testi'@'ip-int_ip.eu-west-1.compute.internal'
  • 'teste'@'ec2-elastic_ip.eu-west-1.compute.amazonaws.com'
  • 'testp'@'internal_route_53_dns'

None of those work, it looks just like the RDS instance wasn't doing any PTR request to lookup the client's ip...

I always get the following error, which makes me think it doesn't even reverse lookup the IP:

ERROR 1045 (28000): Access denied for user 'testi'@'internal_ip' (using password: YES)

Since I am sharing a security group for all EC2 instances and another group for all the RDS instances, I'd like a way of "coupling" an EC2 with an RDS one.

BE77Y
  • 2,667
  • 3
  • 18
  • 23
vfrans
  • 43
  • 1
  • 7

2 Answers2

2
  • In security group of RDS, allow your EC2 local IP (private IP)
  • create user 'username'@'EC2 local IP' identified by 'password';
maqsimum
  • 61
  • 6
  • 1
    Thanks for your answer, unfortunately, that's not what I want. I want to have a dns record in the user config of MySQL because, in case I recreate my instance, private ip will change but dns name won't, then no config is necessary in the MySQL config. – vfrans Jun 04 '15 at 13:22
  • OK, here is your solution, on your EC2 instance, vim /etc/hosts, add your EC2 IP and hostname next to it. And then go to Route53, and add DNS entry for that hostname to EC2 instance, and then allow 'user'@'hostname' in RDS. – maqsimum Jun 04 '15 at 13:32
  • Thanks, i've tried your solution, still no luck ;). I've added my ip to route53 internal DNS and also created a route53 reverse record. I've added to /etc/hosts the record as stated in route53 (even though it resolve the name without issue using amazon internal dns's) and i still have the same error with 'user'@'ip' and not 'user'@'dns'.... why is rds not reverse resolving my ip ? – vfrans Jun 04 '15 at 13:51
  • `skip-name-resolve = OFF` this is one of the parameter in MySQL which should be off. – maqsimum Jun 05 '15 at 05:39
  • Moreover, make sure mysql has just one grant entry of the user which you want to connect via specific hostname. Meaning that, if user has grant for IP as well as hostname of EC2, it may lead MySQL to confusion, better to create one more user, and then just give grant permission from the hostname you want. Additionally check `host ec2-ip` commands result, it should result to desired hostname, and probably should fetch from your route53. Also, double check your local EC2 instance's hostname configuration: [link](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-hostname.html) – maqsimum Jun 05 '15 at 06:05
  • First of all, thanks :) I've already checked the skip-name-resolve it's OFF already (show variables in the mysql prompt). Hostnames are definitely fine since I can resolve from my name to my ip and from my ip to name without issue (from any ec2 instance btw) using the host ec2-ip or host ec2-name commands. I've created a user called 'testdns' which is unique using my dns name ( 'testdns'@'ec2-name" ) still no luck :( I must be missing something but I can't see what... – vfrans Jun 05 '15 at 06:55
0

In order to grant access by hostname you need to setup both your forward and reverse DNS records correctly, as mentioned in this thread.

Community
  • 1
Bazze
  • 1,531
  • 10
  • 11
  • DNS seems well configured since I can resolve both way on any hosts. Using command host ec2-ip resolve the name and using host ec2-name resolve the ip on any ec2-instance. (See comment on maqsimum's response for more details) – vfrans Jun 05 '15 at 06:57