Allow AWS Aurora VPC Cluster to be publicly accessible using CDK

Question

I have tried configuring the RDS cluster using cluster.connections.allowDefaultPortFromAnyIpv4(); but still I am not able to connect to my postgres instance, it keeps timing out.

I've been trying to figure this out from 2 days but still no luck, not sure what to do

Here is the full code for CDK config.

import { CdkWorkshopStack } from "../stacks/cdk-workshop-stack";
import * as rds from "@aws-cdk/aws-rds";
import * as ec2 from "@aws-cdk/aws-ec2";
import { ServerlessCluster } from "@aws-cdk/aws-rds";
import { Duration } from "@aws-cdk/core";

export const createDbInstance = (
  scope: CdkWorkshopStack
): { cluster: ServerlessCluster; dbName: string } => {
  // Create the VPC needed for the Aurora Serverless DB cluster
  const vpc = new ec2.Vpc(scope, "AuroraVPC");

  const dbName = "yt_backup";
  // Create the Serverless Aurora DB cluster; set the engine to Postgres
  const cluster = new rds.ServerlessCluster(scope, "yt_backup_cluster", {
    engine: rds.DatabaseClusterEngine.AURORA_POSTGRESQL,
    parameterGroup: rds.ParameterGroup.fromParameterGroupName(
      scope,
      "ParameterGroup",
      "default.aurora-postgresql10"
    ),

    defaultDatabaseName: dbName,
    //@ts-ignore
    vpc: vpc,
    //@ts-ignore
    scaling: { autoPause: Duration.minutes(10) }, // Optional. If not set, then instance will pause after 5 minutes
  });
  cluster.connections.allowDefaultPortFromAnyIpv4();

  return { cluster, dbName };
};

score 1 · Answer 1 · answered Aug 17 '21 at 16:14

1

This opens the security group to all connections:

cluster.connections.allowDefaultPortFromAnyIpv4();

This (see the link for exactly where you would specified this) would give the database server a public IP, allowing connections from outside the VPC:

publiclyAccessible: true,

However, you are creating a Serverless cluster, which does not support the publicly accessible feature at this time.

answered Aug 17 '21 at 16:14

Mark B

183,023
24
297
295

Is this done by AWS on purpose or is it some design constrain ? – Shivam Aug 17 '21 at 16:29
2

I don't work for AWS so I can't answer that question. I'm not aware of any public statement they have made on that. Although I imagine it is related to the fact that serverless clusters can have instances constantly being added and removed, so there is no persistent instance to assign a public IP address to. – Mark B Aug 17 '21 at 16:45

score 0 · Answer 2 · answered Apr 25 '22 at 14:40

0

Like Mark B mentions a Serverless Aurora DB is not publicly accessible. Having a database publicly accessible is a bad idea from a security point of view in my opinion. (and definitely not open to 0.0.0.0/0)

An application inside your VPC should connect to the database and if you need to access the database you can use a BastionHostLinux , ssh tunnel or Direct Connect.

You can switch is an "non serverless" database if you really need to as this is publicly accessible if it's on a public subnet and there is an internet gateway for the VPC.

answered Apr 25 '22 at 14:40

rjdkolb

10,377
11
69
89

Okay but can we access it in our lambdas? – Shivam Apr 26 '22 at 15:08
If it's inside the same VPC, yes, you can. – rjdkolb Apr 26 '22 at 15:33

Allow AWS Aurora VPC Cluster to be publicly accessible using CDK

2 Answers2