4

I'm trying to configure access to our RDS from the instances in an Elastic Beanstalk environment.

The RDS and EB environment are in the same VPC.

The complication is that the security group for the EB instances is dynamically generated at environment creation time. I'm not sure how to configure the RDS security group to allow a dynamic security group.

I've tried using the CIDR for the VPC instead, but this doesn't seem to work.

Is there a recommended way to do this?

user1751825
  • 4,029
  • 1
  • 28
  • 58

2 Answers2

5

EC2 security groups can be used for more than just allowing incoming and outgoing traffic. They can also be used for pure identification of EC2 instances.

When creating an Elastic Beanstalk application, EB will always create a security group for the EC2 instances, but you can also add another security group to your EC2 instances.

Using these two pieces of information, you can do the following:

  1. Create a security group for your EC2 instances. Don't give the security group any incoming or outgoing rules.
  2. Allow this security group access to your RDS instance by adding a rule to your RDS security group allowing incoming connections on port 3306 for your security group.
  3. When you create your EB application, when you're asked for a security group for your EC2 instances, select your security group. Alternatively, you can edit your already-existing EB application's configuration and add your security group to the list of security groups. It's a comma-separated list.

Once this is done, your EC2 instances should have access to your RDS instance.

As an aside, using a CIDR for your VPC in your RDS security group's incoming rule should work as well.

Matt Houser
  • 33,983
  • 6
  • 70
  • 88
  • Thanks, this worked fine. For some reason when I tried it previously it failed when I explicitly listed the additional SG for my instances in my config. – user1751825 Aug 12 '16 at 23:23
3

By default, ElasticBeanstalk will create a security group associated to the instance with 0.0.0.0/0 on all ports in the Outbound tab. If you haven't changed that, then all you need to do is add the subnets the EC2 instance is situated to the RDS Security Group (i.e. 10.10.10.0/24 on 3306). Try a telnet from the instance and you should be good.

Alternatively, you can do this with CloudFormation using EB - http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-beanstalk-environment.html

Finally, it may be possible to use ebextensions to do this, but that would be my last resort as I've had mixed success with ebextensions, especially around auto scaled instances.

Stoner79
  • 116
  • 2
  • I was being restricted at the RDS end. It's not configured to allow all requests from within the private subnet. I needed a convenient way to allow access to just my elastic beanstalk instances, without opening up the security to the RDS generally. Assigning an additional blank SG to the EB instances and then allowing this group at the RDS did the trick. – user1751825 Aug 12 '16 at 23:28
  • You know, I don't think I tried to open port 3306... it was a looooong day. I'll give that a try! – Exit Sep 13 '17 at 22:12