0

When I try to connect to my RDS instance it fails with a (111) error. If I disable the firewall:

csf -x

I can connect. If I try to add the instance via endpoint:

csf -a <RDS Endpoint>

csf errors with: 

<RDS Instance> is not a valid IP/CIDR

Is there a way to make this work without having to disable csf?

chrisrth
  • 1,182
  • 3
  • 15
  • 36

3 Answers3

1

As I've been working with CSF and RDS I've discovered the CSF actually has an option for dynamically getting the IP on it's own. This is a great option since theoretically the IP could change for your RDS instance.

  1. Edit /etc/csf/csf.dyndns and paste in your RDS endpoint
  2. Edit /etc/csf/csf.conf
    • Change value of DYNDNS to greater than 0 ie. DYNDNS = "60"
    • Since this is your database, set DYNDNS_IGNORE = "1"
  3. Restart CSF and LFD
    • SUDO CSF -RA
  4. Wait until the DYNDNS value has elapsed and you should be good to go. If not, check your block lists
user3522229
  • 11
  • 1
0

I was able to grab the region from my RDS Instance endpoint:

us-east-2

I searched for the corresponding EC2 ranges on the Amazon IP ranges list here:

https://ip-ranges.amazonaws.com/ip-ranges.json

I added the ranges needed to csf:

csf -a 18.224.0.0/14
csf -a 18.216.0.0/14

I reloaded the firewall

csf -r

I was then able to connect to the database

chrisrth
  • 1,182
  • 3
  • 15
  • 36
0
  1. Get your RDS instance internal IP address. Assuming you are using EC2 and linux/ubuntu as well, SSH into your instance and type: host xxxxxxxxx.rds.amazonaws.com (substituting your RDS endpoint) - this will return your RDS internal IP address
  2. Add this ip to /etc/csf/csf.allow and /etc/csf/csf.ignore
user3522229
  • 11
  • 1