3

So here's my situation: We are a young startup scaling up and we decided to give Mesosphere DCOS Community edition a try. The community edition deploys a stack of Masters, Slaves and LB's over AWS CloudFormation using a template. (our template) (editing the template to use an existing VPC causes an error: Template validation error: Template format error: Unresolved resource dependencies [<target_vpc_id>] in the Resources block of the template)

The community edition has two limits (I can't seem to find where these limits are documented):

  • it cannot be deployed over an existing VPC.
  • it creates a single-AZ VPC for each new deployment.

Now, we'd like to enable this new cluster to speak to the RDS. Obviously, we run into problems:

  • The RDS instance cannot be deployed over a single-AZ VPC
  • The RDS VPC can be peered to the DCOS VPC, but since RDS instances only have an endpoint (no static IP), that has to be resolved from the other VPC to a local address and not the global IP.

What would be the best way to approach this situation?

EDIT: So, I added a private-only RDS instance and it's endpoint now correctly resolves to its local IP address from anywhere. Now, my DCOS cluster is located in a VPC which is 10.0.0.0/16 lets call this VPC-A, and my RDS instance is in VPC-B, which is 172.31.0.0/16.

Now to enable communications between the two networks, I added a VPC peering between VPC-A and VPC-B.

Next, I set up the routes in VPC-B as: Destination: 10.0.0.0/16 Targent: <vpc_peering_id>

And in VPC-A as: Destination: 172.31.0.0/16 Target: <vpc_peering_id>

Security group setting for the target RDS Instance in VPC-B Inbound All Traffic All ports CIDR: 10.0.0.0/16

Security group settings for source instances in VPC-A: Outbound: All Traffic All Ports CIDR: 0.0.0.0/0

But then again, I still cannot make any connections from VPC-A to VPC-B.

I've also checked the security group settings for all instances belonging to VPC-A: All outbound traffic is allowed. And in VPC-B: All incoming traffic from 10.0.0.0/16 is allowed on port 3306.

What's going on here?

Ashesh
  • 233
  • 2
  • 13
  • The hostname of the endpoint of a private-only-accessible RDS instance will resolve to the internal address from anywhere on the Internet. – Michael - sqlbot Sep 05 '15 at 15:39
  • @Michael-sqlbot thank you for replying, Michael. I tried what you said but it seems like now I resolve it to the correct local ip address but I still cannot make connections to the server. Please see the edit I've made to the question. I'd appreciate any input about this. – Ashesh Sep 05 '15 at 20:33
  • You mentioned setting the security group for VPC-A Outbound traffic as 0.0.0.0/0, but be sure that Inbound traffic allows at least the subnet that VPC-B contains (172.31.0.0/16). – willjasen Nov 12 '15 at 02:41
  • it does. By the way, I've given up on the idea based on `VPC Peering` – Ashesh Nov 18 '15 at 16:49

0 Answers0