Amazon RDS Security Group with Load Balancer IP

Question

We have a setup where our Load Balancer is talking to one of our RDS instances at Amazon. For the Security Group of our RDS instance we have to fill in a IP Address. Only the IP address of the Load Balancer cant be used because it could change. So we should "create a CNAME record for the Load Balancer DNS name". But we can only fill in a IP address into the Security Groups, so there's the problem.

What should be do to keep it secure but also working? Because opening the RDS instance for all ip addresses doesn't seem safe to me.

For the load balancer are you referring to an AWS Elastic Load Balancer (ELB) or a 3rd party one? — , Nov 18 '15 at 14:38

score 0 · Accepted Answer · edited May 23 '17 at 11:44

I contacted AWS directly and was told that currently RDS doesn't support ELB since AWS considers ELB's use case for distributing web traffic only. Here are two links that were provided to me by AWS in case you haven't seen them:

Discussion about why it's not good to load balance to dbs for writes:

Can I use Amazon ELB for my RDS instance for load balancing?

Feature request to AWS - customers are using self managed HAProxy to accomplish:

https://forums.aws.amazon.com/thread.jspa?threadID=58633

The only work around I can think of - if you want to continue on an unsupported design - is to use the subnet IP range that the ELB's are serving assuming you are using VPC.

Amazon RDS Security Group with Load Balancer IP

1 Answers1