2

I have two AWS accounts (A and B). Each of them has a VPC with no overlapping CIDR blocks, both are in the same region. I have successfully created a VPC peering connection between them (which is active). The requester and receiver both allow remote vpc dns resolution.

I have specified in each VPC table routes the other's VPC cidr block as a destination with the peering connection as a target.

I have an EC2 instance running in a public subnet inside the VPCA of AccountA, attached to a security group SecurityGroupA. SecurityGroupA enables inbound from all sources in the default security group of VPCA, as well as inbound from AccountBId/SecurityGroupB, and all outbounds.

I have a RDS postgres instance running in the VPCB of AccountB, attached to a security group SecurityGroupB. SecurityGroupB enables inbound TCP on port 5432 (postgres default port) from AccountAId/SecurityGroupAId.

When running aws ec2 describe-security-group-references --group-id SecurityGorupAId, I get

{
    "SecurityGroupReferenceSet": [
        {
            "GroupId": "SecurityGroupAId",
            "ReferencingVpcId": "VPCBId",
            "VpcPeeringConnectionId": "pcx-XXXXXXXXXXXXXXXXX"
        }
    ]
}

Which seems to indicate that the security group is correctly referenced. But when trying to connect from the EC2 instance to the RDS instance, I'm getting a connection timed out error.

alx.lzt
  • 456
  • 4
  • 12
  • 1
    Is the RDS database set to `Publicly Available = Yes`? – John Rotenstein Nov 09 '20 at 20:54
  • Yes it is, but the psql timeout error displays the RDS ip corresponding to one of it's VPC's address, and not a public one. So I would assume it correctly tries to access it through the peering connection ? – alx.lzt Nov 10 '20 at 10:28
  • My actual use case is not with an EC2 instance, but with ECS scheduled tasks being given changing public ips, so I'm trying not to update the RDS security group to allow another public IP in an inbound rule. If it's the only way with a publicly available RDS instance I'll try to assign specific public ips to the tasks :) – alx.lzt Nov 10 '20 at 10:40
  • 1
    When you try to resolve the RDS DNS Name within the VPC (eg with `nslookup` from the EC2 instance), does it resolve to a public IP address or a private IP address? If it resolves to a public IP address, then you should set it to `Publicly Accessible = No` so that traffic remains _within_ the VPCs. The Security Group on RDS that refers to the EC2 security group will be expecting the private IP address. You can test this by temporarily changing the RDS security group to allow connections from _Anywhere_ and seeing whether the connection succeeds. – John Rotenstein Nov 10 '20 at 20:24
  • The EC2 resolved correctly the RDS DNS Name within the VPC to a private IP. Everything works now. It seems that it works with both publicly accessible set to no or yes. The issue was that I forgot to update the RDS VPC Route Table when I recreated the peering connection for test purposes (hum...). Thank you for your advice ! – alx.lzt Nov 11 '20 at 19:36

0 Answers0