How to configure my RDS postgresql instance so that i can interact with my API server EC2 ubuntu machine?

Question

I am able to access my RDS instance through my EC2 instance through

 psql -U user -h hostname  $DBname

I want to know how the RDS connects to EC2. is it private IP or public IP or Hostname

my developer has configured my private IP in connection http://privateip:5000 in the backend (don't what exactly it)

When I use this command:

 curl --location --request GET 'http://localhost:5000/api/Supplier

I am able to access the API response.

but when I use my

 curl --location --request GET 'http://privateip:5000/api/Supplier

I get curl: (7) Failed to connect to privateIp port 5000: Connection refused

I am sure my EC2 can connect to RDS .

Maybe my understanding of this is limited.

could any one help me out of this ?

My RDS SG

All TCP TCP 0 - 65535 Custom sg-EC2

PostgreSQL TCP 5432 Custom 0.0.0.0/0

PostgreSQL TCP 5432 custom sg-Ec2

All UDP UDP 0 - 65535 Custom sg-EC2

All ICMP - IPv4 ICMP 0 - 65535 Custom sg-EC2

So this is calling a get request on your private ip on port 5000, can you confirm the security groups on the instance that you're trying to connect to? — Chris Williams, Jun 27 '20 at 09:17
All TCP TCP 0 - 65535 Custom sg-ec2 instance PostgreSQL TCP 5432 Custom 0.0.0.0/0 PostgreSQL TCP 5432 Custom sg-ec2 instance All UDP UDP 0 - 65535 Custom sg-ec2 instance All ICMP - IPv4 ICMP 0 - 65535 Custom sg-ec2 instance — sumanth shetty, Jun 27 '20 at 09:31
The request you fired is a curl request which is targetted to your EC2 instance not your RDS, does your EC2 instance also run the same security group — Chris Williams, Jun 27 '20 at 09:41
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/216761/discussion-between-chris-williams-and-sumanth-shetty). — Chris Williams, Jun 27 '20 at 09:44

Adiii · Answer 1 · 2020-06-27T09:43:30.667

1

Rule of thumb for checking SG of instance telnet privateip 5000 if the port is not open it clearly indicate that EC2 instance security group not allowing the port.

Then open 5000 from SG of the instance.

If the above fix does not resolve the issue then it might be the case that application only listening on localhost so you need to allow 0.0.0.0 to work it private IP.

I am sure my EC2 can connect to RDS .

The issue is related to connecting with Ec2 instance not the RDS, you request curl --location --request GET 'http://privateip:5000/api/Supplier has nothing to do with RDS except DB connection. you application depend on Ec2 security group, not the RDS security group.

edited Jun 27 '20 at 09:43

answered Jun 27 '20 at 09:22

Adiii

54,482
7
145
148

I have an inbound rule for my ec2 Custom TCP Rule TCP 5000 Custom 0.0.0.0/0 – sumanth shetty Jun 27 '20 at 09:46
Okay which application is running? Are you sure it's not Bind with localhost? – Adiii Jun 27 '20 at 09:58

score 1 · Answer 2 · answered Jun 27 '20 at 09:28

1

If you're trying to connect to the private IP address from the instance itself you will need to ensure the following conditions are met:

Inbound access in the security group from the source of your instance to port 5000.
Outbound access allowed in the security group for your instance.
NACL is either the default NACL, or if you have made your own it is allowing inbound and outbound access including to ephemeral ports.

The source inbound rule for the security group should be scoped to one of the following:

Inbound from the private IP address range of the EC2 instance e.g. 10.0.0.1/32
Inbound from either a subnet or VPC range e.g. 10.0.0.0/16.
Inbound from the world e.g. 0.0.0.0/0 (Use with caution as this allows any server that can connect, to be able to connect on this port).
Inbound from a security group (either the same or different). e.g. sd-abcdef

answered Jun 27 '20 at 09:28

Chris Williams

32,215
4
30
68

the private ip which i am using is of the EC2 machine not of the RDS. is what is m doing right? – sumanth shetty Jun 27 '20 at 09:42
The EC2 instance will be running the curl request against itself, so yes the private IP should be the EC2s – Chris Williams Jun 27 '20 at 09:44
What if the instance which is trying to access the RDS is in other subnet? – sumanth shetty Jun 30 '20 at 11:54
1

As long as the security group allows you should be fine :) – Chris Williams Jun 30 '20 at 12:18
can we have two Postgres RDS each in separate AZ be in sync. Or should we go for Multi Az Deployment from one AZ only? – sumanth shetty Jun 30 '20 at 12:50
If you're looking to have this for HA then yes use multi AZ, if its performance then it would need to be a read replica as you cannot use the standby node in a multi AZ setup – Chris Williams Jun 30 '20 at 12:54
hope i got this right, Best Practices would be to have a single RDS with multi az deployment compared to two different RDS for each AZ? – sumanth shetty Jun 30 '20 at 13:02
Always a lifesaver, but still not able to find you on linked in. – sumanth shetty Jun 30 '20 at 13:18
Could you help me out with https://stackoverflow.com/questions/62671161/unit-xxx-service-is-not-loaded-properly-exec-format-error-on-ubuntu18-04-creat – sumanth shetty Jul 01 '20 at 08:53

How to configure my RDS postgresql instance so that i can interact with my API server EC2 ubuntu machine?

2 Answers2