-2

I have a RDS databse with status as Running however it is now showing in my EC2 Security Groups. The only instances showing are:

  1. default VPC security group
  2. Securtiy Group for Elastic Beanstalk
  3. Elastic Beanstalk created security group

Why is the RDS database not showing in the EC2 Security Groups?

enter image description here

RDS settings: enter image description here

Pasang
  • 81
  • 1
  • 7
  • 1
    Are you asking why the RDS instance isn't appearing, or why a Security Group associated with the RDS instance isn't appearing? If you're looking for the Security Group, either it doesn't exist, or it is in a different Region. If you go to the RDS management console and look at the database, you can see which Security Group it is using. – John Rotenstein Jan 17 '22 at 11:38
  • It seems that the Security Group at the top with no name is the RDS instance. Now the only problem is my Elastic BeanStalk instance is not connecting to the RDS instance. In the tutorial the instance on the top had description as 'Created from the RDS Management console' while mine reads 'default VPC security group'. The tutorial is 3 years old. Maybe that's why the description does not match. – Pasang Jan 17 '22 at 14:25

1 Answers1

0

The typical security setup would be:

  • A Security Group on the Amazon EC2 instances created by Elastic Beanstalk (App-SG) with adequate inbound rules for users to access the app (or perhaps from a Load Balancer -- I'll assume you have that configured correctly)
  • A Security Group on the Amazon RDS database (DB-SG) with an inbound rule that permits access from App-SG on the database port

That is, DB-SG should specifically reference the App-SG in its inbound rules. This will give permission for any of the EC2 instances to connect to the database.

Feel free to create new Security Groups with appropriate names and rules, then associate those Security Groups with the EC2 instances (via Elastic Beanstalk) and the database. You do not need to keep using the Default security group.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • I have put the Security Group ID of my EBS instance into the Inbound rule of my RDS instance. However, my EBS environment is still failing with HTTP 5xx. Any suggestions? – Pasang Jan 18 '22 at 04:04
  • If you think that the problem might be related to the security group, you could temporarily open it to `0.0.0.0/0` for the database port. That will remove any potential problems caused by Security Groups. You can then diagnose from there based on the results. – John Rotenstein Jan 18 '22 at 04:10
  • Couldn't change the existing rule source to 0.0.0.0/0 so deleted the existing rule and created a new rule with source 0.0.0.0/0 but getting the same error on the EBS environment. – Pasang Jan 18 '22 at 04:21
  • Is the database configured as `Publicly Available = Yes`? – John Rotenstein Jan 18 '22 at 04:26
  • Yes. The RDS is publicly available, has 'Available' status and Security Group is in 'Active' state . Also both EBS instance and RDS instance are running with the same VPC id and owner. – Pasang Jan 18 '22 at 04:37
  • There is a specific setting in Amazon RDS called **Publicly Available**. ([Example image](https://i.stack.imgur.com/20nPv.png)) Do you see this setting? What is its value on your database? – John Rotenstein Jan 18 '22 at 04:47
  • Yes. The Publicly Available setting is 'Yes' for the RDS database. – Pasang Jan 18 '22 at 04:58
  • A setting of 'Yes' means that the DNS name of the RDS database will resolve to a **public IP address**. This will only work if the database is in a Public Subnet. It also means that Security Groups cannot filter the traffic based on a reference to another security group (as I advised above) since that requires traffic to be using Private IP addresses. The normal configuration would be to use `Publicly Accessible = No` and to put the database in a Private Subnet. Your use of `0.0.0.0/0` should allow any traffic in, so I suspect that the database is in a private subnet with a public IP address. – John Rotenstein Jan 18 '22 at 05:04
  • After looking at my EBS error log it looks like my issue is with the EBS deployment. The problem seems to be similar to this question: https://stackoverflow.com/questions/55212409/why-is-my-springboot-deployment-to-ebs-not-working – Pasang Jan 18 '22 at 05:18