0

In AWS, our auto scaling group is launching new instances in different availability zones (for high availability) and these web instances of course require access to database (RDS) service on port 3306.

Now, what IP addresses should I allow in my RDS security group for port 3306?

Since each newly launched instance has different IP address each time so how can we add them into security group?

BTW: This is not just the issue for RDS security grouo but for all security groups as I can't restrict them.

Farmi
  • 379
  • 1
  • 4
  • 17

2 Answers2

3

You don't add IP addresses for EC2 instances to your RDS security group, you add another security group. This gives every instance in the security group your EC2 instance are in access to your RDS security group / resources.

In this slightly obfuscated image you can see that my web security group (ending f4) is added to my RDS security group (ending C6).

RDS access for EC2 instances

A related concept you may be aware of is IAM Roles. They're not applicable in this situation, but they're useful to know. They can allow EC2 instance access to practically any EC2 resource (eg S3) without having to store credentials. EC2 instances need to be started with the role, but I believe the role policy can be changed on the fly.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • thansks it did work for RDS, Redis when I allowed the security group for auto-scaling web server, but there is an issue with NFS security group(I have a seperate instance which uses to share same files between auto-scaling instances) where I still need to allow every one all access otherwise it does not connect... weird! – Farmi Dec 18 '16 at 22:26
  • You can start another question for your other issue. Consider AWS EFS instead of NFS. – Tim Dec 19 '16 at 00:24
  • EFS performance is disaster i comparison to NFs separate instance, anyways, I have opened a case here: http://serverfault.com/questions/821500/aws-unable-to-connect-nfs-instance – Farmi Dec 19 '16 at 00:37
  • Looks like you're correct about EFS being unusably slow for scenarios that use a lot of small files. There's quite a bit of latency, so large files are fine, but small not so much. FS-CACHE / cachefilesd is meant to help (based purely on what I've read). – Tim Dec 19 '16 at 00:47
1

Your newly launched instances will be connected to their own security group. maybe they are part of a auto-scale group but it really doesn't matter. you can use the security group that the instances are using to give access to you RDS instance: enter image description here

Notice here we have the RDS security group that has an entry that allows traffic on TCP port 3306 from a custom source, the custom source is the security Group ID of the security group that your instance are connected to.

Michael Brown
  • 3,254
  • 2
  • 11
  • 11