3

So I have a primary RDS in us-east-1 & a replica in us-west-1. Both are inside VPCs in their respective regions. I want to have one of my EC2 instances in us-east-1 connect to the replica instance.

A simple solution is to enable public access for the RDS replica and add the IP of the EC2 to its security group and it works.

But instead of allowing a static IP, I would like to allow access to the entire CIDR range of my us-east-1 VPC and also I don't want my instances to be public accessible.

To do this, I've setup a VPC peering connection between the two regions and I have added entries in the routing tables of both the VPCs to forward traffic to each other's CIDR ranges to the peering connections.

The CIRD range of the EC2 instance is 172.31.0.0/16 and I have added this to the security group of the RDS replica in the us-west-1 region. But for some reason the RDS is not reachable from my EC2.

Have I missed anything else? Thanks!

To summarize my setup:

US EAST:

  • VPC CIDR: 172.31.0.0/16
  • Route Table entry: Destination 10.0.0.0/16 routes to the peering connection of us-west-1 VPC.
  • EC2 IP: 172.31.5.234

US WEST:

  • VPC CIDR: 10.0.0.0/16

  • Route Table entry: Destination 172.31.0.0/16 routes to the peering connection of us-east-1 VPC.

  • RDS:

    • Public Accessible: Yes
    • Security Group: Allow connections from 172.31.0.0/16
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Steve Robinson
  • 3,759
  • 3
  • 36
  • 57
  • You may be able to do this by setting the security group of your EC2 as the source for an inbound rule on the security group for your RDS. This will open up the communication between your RDS and EC2 through the security group, with no need for IP – Ryan Charmley Dec 19 '19 at 20:30
  • For clarity, you add the Group ID of your application security group, such as: `sg-4e2fcf31` to the inbound source of your database (RDS) security group. This is the setup that I use in production, which should satisfy your requirements. – Ryan Charmley Dec 19 '19 at 20:34
  • Does this work even if the VPCs are in different regions? – Steve Robinson Dec 19 '19 at 20:38
  • @RyanCharmley nope, just tried that it says "Could not update your security group rules (No changes were made): The security group does not exist" – Steve Robinson Dec 19 '19 at 20:40
  • Yea, I think if you do not allow public connections, that it is required for your application and database servers to exist on the same VPC. Would also be interested to know if there is another way.. – Ryan Charmley Dec 19 '19 at 20:42
  • Ok I've enabled public access. Even then this setup does not seem to work. But isn't the whole purpose of VPC peering to allow such a setup? – Steve Robinson Dec 19 '19 at 20:45
  • How did you setup RDS endpoint in connection string? I mean connect via DNS endpoint? – Tuan Vo Dec 19 '19 at 22:15
  • Yes, the DNS endpoint - `my-rds-instance-id.xxxxxxxxxxx.us-west-2.rds.amazonaws.com` @TuanVA – Steve Robinson Dec 19 '19 at 22:34
  • Could you trace DNS, like ping, to make sure your instance can lookup right IP? – Tuan Vo Dec 20 '19 at 00:08

1 Answers1

7

To reproduce your situation, I did the following:

In us-east-1:

  • Created a VPC in us-east-1 with a CIDR of 172.31.0.0/16 using the "VPC with Public and Private Subnets" VPC Wizard
  • Launched an Amazon EC2 Linux instance in the public subnet

In us-west-1:

  • Created a VPC in us-west-1 with a CIDR of 10.0.0.0/16 using the "VPC with Public and Private Subnets" VPC Wizard
  • Added an additional private subnet to allow creation of an Amazon RDS Subnet Group that uses multiple AZs
  • Created an RDS Subnet Group across the two private subnets
  • Launched an Amazon RDS MySQL database in the private subnet with Publicly accessible = No

Setup peering:

  • In us-east-1, created a Peering Connection Request to the VPC in us-west-1
  • In us-west-1, accepted the Peering Request

Configure routing:

  • In us-east-1, configured the Public Route Table (used by the EC2 instance) to route 10.0.0.0/16 traffic to the peered VPC
  • In us-west-1, configured the Private Route Table (used by the RDS instance) to route 172.31.0.0/16 traffic to the peered VPC

Security Groups:

  • In us-east-1, created a security group (App-SG) that allows inbound port 22 connections from 0.0.0.0/0. Associated it to the EC2 instance.
  • In us-west-1, created a security group (RDS-SG) that allows inbound port 3306 connections from 10.0.0.0/16 (which is the other side of the peering connection). Associated it to the RDS instance.

Test:

  • Used ssh to connect to the EC2 instance in us-east-1
  • Installed mysql client (sudo yum install mysql)
  • Connected to mysql with:
mysql -u master -p -h xxx.yyy.us-west-1.rds.amazonaws.com

This successfully connected to the RDS database across the peering connection.

FYI, the DNS name of the database resolved to 10.0.2.40 (which is in the CIDR range of the us-west-1 VPC). This DNS resolution worked from both VPCs.

In summary, the important bits are:

  • Establish a 2-way peering connection
  • Configure the security group on the RDS instance to permit inbound connections from the CIDR of the peered VPC
  • No need to make the database publicly accessible
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thanks so much mate!! So in the RDS-SG I had opened up connections to the CIDR block of the EC2 VPC. (east). I changed it to the west CIDR (the one where the RDS runs). But I don't understand how this works :/ Since my EC2's IP is something like 172.1.31.23 shouldn't that be the entry in the SG? Am I understanding peering incorrectly? – Steve Robinson Dec 20 '19 at 05:02
  • Oops. I jumped the gun my RDS SG has CIDR block of `172.31.0.0/16` which is the us-east-1 VPC. – Steve Robinson Dec 20 '19 at 05:07