1

We run an elastic beanstalk application that comes with an application load balancer, let's call the environment core. On another EC2 runs our database.

I want to make the database accessible via instances in core only, how should I go about it?

  1. VPC - too complicated, in my understanding both need to be in the same VPC and simply have the load balancer opened to the world. However, this comes with an overhead of setting up the VPC

  2. Whitelist IPs on the database EC2 that correspond to the core EC2 instances. However, since this is a load balanced environment those IPs will change as number of instances scales up / down.

  3. Whitelisting the LB security group in the EC2 database, but traffic still does not go through from EC2 EB to EC2 DB and I have no idea why. That would be my preferred way of doing it for now and I would really appreciate help here. Note: RDS Security group won't work if my understanding is correct since I'm using a custom DB on the EC2 - none of the AWS solutions. Here is the solution

If you use the public IP address, then AWS doesn't recognize the connection as originating from the EB security group and will deny the connection.

Lyubomir
  • 19,615
  • 6
  • 55
  • 69
  • I would say a properly configured VPC is the foundation for valid application security, and would be the appropriate approach to any robust solution to your question. If you wish to secure your DB, a VPC is step 1. You have a default VPC in your account. Strongly suggest you use it and not exclude it from your environment. It's really not that complicated. – Rodrigo Murillo Feb 27 '18 at 23:19
  • can you write an answer with an approach how you'd imagine working it on AWS via VPC: Like The elastic beanstalk + db on the same VPC and open the EB interface to the world? Is that correct? I thought this was a fairly common use case where there must be a solution w/o VPC – Lyubomir Feb 28 '18 at 01:17
  • If you're running in EC2-Classic you can configure your RDS security group to allow traffic from a specific EC2 security group, and then assign that EC2 security group to the instances launched by Beanstalk. But, really, VPC is a much better solution. – kdgregory Feb 28 '18 at 01:45
  • thanks for the input, I've edited my question! – Lyubomir Feb 28 '18 at 10:36

0 Answers0