2

Ive went through the whole start-up tutorial and connect to the tinkerpop3 server remotely from an EC2 that is in the same VPC and get the error

gremlin> g.addV('person').property(id, '1').property('name', 'marko') Host did not respond in a timely fashion - check the server status and submit ag ain. Type ':help' or ':h' for help. Display stack trace? [yN]

any reason this might be happening?

Titus Kruse
  • 21
  • 1
  • 2
  • I have posted a similar question here: https://forums.aws.amazon.com/thread.jspa?messageID=852473󐇹 – Fook Jun 08 '18 at 22:42
  • @Fook thanks for your response! the only way i was able to get it to work was to add an inbound rule for the specific IP address of the EC2 I'd assume the same would go for lambda/EB/ECS – Titus Kruse Jun 11 '18 at 15:32

2 Answers2

0

Let's try a couple of things to get you started with debugging the issue here:

  1. Have you tried hitting the /status endpoint? If this endpoint is working, then there is a problem with the console configuration. If it isn't, then there is an issue with the connectivity of the EC2 instance to the DB.
  2. Can you ensure that the EC2 instance has been launched with the same security group for which you gave inbound access to port 8182 on the DB (during step#8 in the setting up instructions?
  3. Please ensure that your cluster and instance status is "available" as observed from the Neptune console.
Divij Vaidya
  • 261
  • 1
  • 4
  • ********.neptune.amazonaws.com/status curl: (7) Failed to connect to ******neptune.amazonaws.com port 443: Connection timed out this is what happens when i do the curl. it was working on friday after i added an inbound rule specifically for the EC2 IP, as i stated above and still connects through gremlin console and access the graph nodes – Titus Kruse Jun 11 '18 at 16:18
  • all statuses are available and ec2 is in same SG/VPCs are the same, my neptune instance does have 2 security groups belonging to the Neptune cluster referencing the the same vpc, (default/custom) maybe thats an issue? – Titus Kruse Jun 11 '18 at 16:46
  • You are able to connect to Neptune by adding an inbound rule for individual IP but not by adding an inbound rule for the SG (say, client-sg) which is attached to the EC2 instance. Also, Neptune instance has two SGs attached to it (default & custom). 1. Does the client-sg has outbound traffic restricted in any manner? 2. Does the default or the custom SG have inbound open for 8182 from client-sg? Having multiple SGs attached does not matter since the rules allow most permissive: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules – Divij Vaidya Jun 12 '18 at 02:44
  • No outbound restrictions on either, inbound only works for the specific IP. If im understanding correctly, thats the only way to do it? – Titus Kruse Jun 14 '18 at 02:26
  • See https://stackoverflow.com/a/52962529/3069919 for more details. Basically, you should associate a separate security group for your client and db, set an inbound rule for the one you attach to the database. – The-Big-K Oct 24 '18 at 06:47
0

The recommended way to manage such connections is 2 have 2 security groups:

  1. client - A security group that you attach to all clients, like Lambdas, EC2 instances etc. The default outbound rule gives you outbound access to every resource in the VPC. You can tighten that if you'd like.
  2. db - A security group that you should attach to your Neptune cluster. In this security group, edit hte inbound rules, and explicitly add a TCP rule that allows inbound connections to your database port (8182 is the default port).

You can attach the db security group to your cluster either during creation or by modifying existing clusters.

The-Big-K
  • 2,672
  • 16
  • 35