1

I've spend about a full day trying to solve this, but have no luck so far. I'm also open to alternative suggestions than my current setup.

I have an RDS instance inside of a VPC. I am trying to make CodeBuild be able to access this RDS instance for a testing step.

Currently, I setup a VPC endpoint for the CodeBuild service, with all 3 subnets of the VPC. I know that if I allow all inbound traffic for the security group on the RDS, it works. I don't want to allow all inbound traffic though- and given this, have been unsuccessful.

I have tried the following to no avail:

  • Taking the private IPv4's of the ENI's created by the VPCE, adding them as inbound rules to the security group on the RDS
  • Creating a separate VPC for CodeBuild, and setup VPC peering (this seemed overly complex, and I'm not sure if the peering would even allow CodeBuild traffic to hit an RDS; it also makes things complicated down the road for CodeDeploy).
  • Putting CodeBuild inside the VPC of the RDS instance. When doing this, I created a new subnet in the VPC, assigned it to a NAT in the routes table (and this NAT was on the VPC of the RDS instance); put CodeBuild kept telling me it had no internet access.
user43395
  • 167
  • 1
  • 9

2 Answers2

2

setup a VPC endpoint for the CodeBuild service,

VPC endpoints are not used for inbound traffic from CB to VPC. They are used for your applications in VPC to interact with CB service without the internet.

Putting CodeBuild inside the VPC of the RDS instance.

This is the correct way. Sadly you haven't provided any details of your VPC, subents, NAT, route tables, security groups, NACLs setup, thus its difficult to speculate why it does not work.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Thanks Marcin, this makes sense. I may not know all the important information to give, here's some. The VPC is over 172.31.0.0/16, with 4 subnets: 172.31.0.0/20 172.31.16.0/20 172.31.32.0/20 172.31.48.0/20 The first 3 are attached to an internet gateway, the fourth is attached to an NAT, via routes table: 172.31.0.0/16 : local 0.0.0.0/0 : (the nat) The sg on the RDS allow certain IP address traffic. I suspect I may have to add something else inbound, but not sure what. Outbound is allowed. NACL is standard, allows everything rule 100, otherwise. – user43395 Aug 12 '21 at 02:19
  • I had also tested creating a VPC from the wizard with a private and public subnet; attaching this to CodeBuild did allow CodeBuild to have internet access. I also tried giving CodeBuild a sg that allows all inbound and outbound, but that didn't help. – user43395 Aug 12 '21 at 02:22
  • Typing these comments out gave me an idea- I bet my NAT is attached to the wrong security group. – user43395 Aug 12 '21 at 02:42
0

Thanks Marcin for pointing me in the right direction to make CodeBuild in the same VPC. When I was able to focus on that, I saw this post again:

CodeBuild cannot find the 0.0.0.0/0 destination for the target internet gateway

which I had the same issue; my NAT was also on the private subnet. Now, it's on the public subnet, and it's working.

user43395
  • 167
  • 1
  • 9