1

I am quite new to Elastic Beanstalk and not very proficient with server administration, but I need to set up a Django project on Elastic Beanstalk connecting to external RDS MySQL database.

I have created a separate RDS MySQL database and I can connect to it using Sequel Pro on my computer without problems. Then I have my Django project which I try to put to Elastic Beanstalk, but unfortunately without luck. If I run the local Django server from my computer, the project is browsable and Amazon RDS MySQL is accessible. However, when I run

eb deploy

I get

django.db.utils.OperationalError: (2003, "Can't connect to MySQL server
on 'myapp-staging.xxx.eu-west-1.rds.amazonaws.com' (110)")
(ElasticBeanstalk::ExternalInvocationError)

If I login to the EC2 server via SSH

eb ssh

and then check the open ports with

netstat -lntu

I don't see MySQL's port 3306 there, so I guess it is blocked by firewall.

This is what I tried regarding permissions:

  1. I went to RDS Dashboard -> Security Groups and created myapp-mysql-security-group with EC2 Security Group connection type pointing to EC2 security group used by Elastic Beanstalk EC2 instance “awseb-e-...”.
  2. I went to EC2 -> Security Groups and for “awseb-e-...” I set the Inbound MySQL port with source 0.0.0.0/0
  3. I went to VPC Dashboard -> Security Groups and created myapp-mysql-security-group with Inbound Rules of MySQL port with source 0.0.0.0/0.

Then I tried to redeploy, restart servers and even rebuild environment, but nothing helped. The MySQL port 3306 is still not open in the EC2 instances created by Elastic Beanstalk.

What am I doing wrong or what is missing?

Aidas Bendoraitis
  • 1,465
  • 2
  • 14
  • 17
  • 1
    It sounds little confusing. You said, "...from my computer, the project is browsable and Amazon RDS MySQL is accessible." Does it mean you can access the remote mysql db from your Computer? Can you do a simple `telnet your_ec2_mysql_server_ip 3306` and check the output? Also log into your EC2 where mysql is running, then becom root (use sudo) and execute `netstat -na | grep 3306`. – Diamond Nov 18 '15 at 11:39
  • telnet hangs and netstat returns nothing. – Aidas Bendoraitis Nov 19 '15 at 01:41
  • What does it mean by "hangs"? Can you post the output please? – Diamond Nov 19 '15 at 09:43
  • There is no output. It just doesn't respond and doesn't return anything. In order to quit, I have to press Ctrl + C to break the process. – Aidas Bendoraitis Nov 19 '15 at 12:28
  • Which can actually mean that you are getting connected to mysql instance there otherwise you should get something like : `telnet: Unable to connect to remote host: connection refused` or `telnet can't connect to remote host on port.` – Diamond Nov 19 '15 at 13:13
  • But I'm not sure, it sounds more like a firewall issue. Please go through the amazon docs again and check. (http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/java-rds.html) – Diamond Nov 19 '15 at 13:19
  • This is what I expect. I think it is a firewall issue and that is configured somehow with Amazon Permission Groups. I spent already several days trying to figure out how to set them correctly, but without luck. – Aidas Bendoraitis Nov 19 '15 at 16:38

2 Answers2

0

There seemed to be two missing points in the configuration:

  1. I had to recreate the Elastic Beanstalk environment to be inside of the same Virtual Private Cloud (VPC) as the RDS database. This can be done by:

    eb create myapp-staging --vpc

and then answering some questions like what is the VPC id.

  1. I had to enter VPC CIDR (IP) to the allowed incoming connections for MySQL for "rds-launch-wizard" security group:

    a) Go to VPC Dashboard -> Your VPCs and copy VPC CIDR.

    b) Go to VPC Dashboard -> Security Groups and select the "rds-launch-wizard" group, then edit the Inbound Rules and add this rule:

    MySQL/Aurora (3306) | TCP (6) | 3306 | <VPC CIDR here>
Aidas Bendoraitis
  • 1,465
  • 2
  • 14
  • 17
0

Without using a custom VPC, the easiest way to add an existing security group to EB EC2 instances is to use the simple configuration described in https://github.com/awsdocs/elastic-beanstalk-samples/blob/master/configuration-files/aws-provided/security-configuration/securitygroup-addexisting.config

For example:

$ cat .ebextensions/securitygroup-addexisting.config
option_settings:
  - namespace: aws:autoscaling:launchconfiguration
    option_name: SecurityGroups
    value: rds-launch-wizard-1
pba
  • 101
  • 2