-1

I am fairly new to AWS, so I am sure that I am just missing something, but here is my problem:

I have created a VPC with 3 subnets and one security group linked to all of them. The security group accepts inbound from my machine. Next I have created two RDS instances (both PostgreSQL), put them into that VPC and linked them to the VPC security group. Weirdly, I can only connect to one of them, for the other one I get a generic time-out error.

Any idea on what I am missing? I can share any more details if needed.

EDIT: Both RDS instances are deployed on the same subnets and I am trying to connect from my machine on the internet.

Lennart
  • 1
  • 1
  • Could you please clarify your situation? Are you wanting to connect from a computer on the Internet to the RDS instances? Are the RDS instances in the same subnet? (They don't need to be, but knowing would help with trying to debug your situation.) Feel free to edit your question to clarify details. – John Rotenstein Apr 10 '19 at 22:22
  • If it is working for one RDS instance and not the other, then double-check that they are in the same subnet and are using the same security group. If one still does not work, then it is something to do with the configuration of the database. If they are brand-new RDS instances, then try launching another one and throw away the bad one. – John Rotenstein Apr 11 '19 at 02:09
  • Yes, they are in the same subnets and are using the same security groups. I have actually been spinning up new instances for a couple of times already. Every nth time I can connect to the new DB. Even though I do the exact same settings. So I was thinking if there is anything beyond subnets/security groups/RDS settings... – Lennart Apr 11 '19 at 06:01

1 Answers1

0

Please verify that to fix your issue:

  • Both RDS instance have been deployed into the same Subnet.
  • If not check that both subnets are public subnets and have a route to your internet gateway
  • If one RDS (the not working one) is in a private subnets you should consider using a bastion to access it because by default you should not have a route to your Internet Gateway.

But still you will find a bellow a simple subnet design if you want to build something secure:

  • Create 2 public subnets if you want to deploy something directly accessible through internet (one good practice is to deploy only managed instance there (like load balancer)
  • Create 2 private subnets with NATGateway and correct route configuration to it
  • Create a bastion in you public subnets to be able to access your instance in private
  • Deploy your RDS into Private subnets and create one security group for each (or one for both if they are really linked)

You will find an AWS QuickStart which deploy all network stack for you on VPC Architecture - AWS Quick Start.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Steve HOUEL
  • 197
  • 5
  • Thanks for the answer and best practices, I'll make sure to check out the Quick Start. To answer your follow ups: - Yes, both RDS instances have been deployed in the same subnet - Yes, both are public subnets and have a route to my internet gateway - I understand, right now for testing and learning purpose, I am using public subnets – Lennart Apr 11 '19 at 01:40
  • You’re welcome. I forget to say that you should check that both rds instance have been declared as publicly available (a parameter on your rds config) – Steve HOUEL Apr 11 '19 at 04:19
  • Yes, they are set to be publicly available. – Lennart Apr 11 '19 at 05:35