All geek questions in one place

MVC application running on EC2 instance cannot use RDS database

I am developing an application with MVC that uses a remote database ( RDS amazon ) to populate the application data. Running the application locally everything works fine. The problem occurs when I deploy the application to EC2 instance , my online application cannot use the same RDS database . What is the correct procedure to allow an EC2 instance overcome an RDS database ? My security group has inbound and outbound permissions for everyone connected to traffic and anywhere.

+6
source share
3 answers

How do I resolve issues with my Amazon RDS database instance?

Problem

I cannot connect to an Amazon RDS database instance.

Your problem:

When you try to connect from an EC2 instance that is not in the VPC, the DB instance security group is not configured to access the EC2 instance.

Decision:

If connection attempts from an EC2 classic instance fail, grant the user access from the security group of the DB instance. For more information, check the following:

If you want to access a database instance from an Amazon EC2 instance, you must first determine if your EC2 instance and DB instance are actually in VPC. If you use VPC by default, you can assign the same EC2 or VPC security group that you used for your EC2 instance when you create or modify the database instance that the EC2 instance will access.

If your DB instance and EC2 instance are not in the VPC, you must configure the DB instance security group using an access rule that allows traffic from the Amazon EC2 instance. You would do this by adding the Amazon EC2 security group for the EC2 instance to the DB security group for the DB instance. In this example, you add a database security group access rule for the Amazon EC2 security group.

Attention!

Adding a database security group access rule for Amazon EC2 The security group provides only access to your database instances from Amazon EC2 and the instances associated with this Amazon EC2 security group.

You cannot allow Amazon EC2 security group located in a different AWS region than your database instance. You can resolve the range IP address or specify an Amazon EC2 security group in the same region as the IP address in another region. If you specify an IP range, we recommend that you use the private IP address of your Amazon EC2 instance, which provides a more direct network route from your Amazon EC2 instance to your Amazon RDS DB database instance and does not require network charges for data sent outside the Amazon network .

AWS Management Console

To add an EC2 security group to a database security group

  • Log in to the AWS management console and open the Amazon RDS console at https://console.aws.amazon.com/rds/ .

  • Select security groups in the navigation panel on the left side of the console window.

  • Select the details icon for the database security group that you want to provide.

enter image description here

  1. On the details page for your security group, select, select the EC2 security group from the Connection Type drop-down list, and then select the Amazon EC2 security group that you want to use. Then click "Authorize."

enter image description here

  1. The access rule status will be authorized until the new access rule is applied to all database instances associated with the changed database security group. After the login rule is successfully applied, the status will change to authorized.

CLI

To provide access to the Amazon EC2 security group, use the AWIS CLI command commandize-db-security-group-ingress.

Example

For Linux, OS X, or Unix:

 aws rds authorize-db-security-group-ingress \ --db-security-group-name default \ --ec2-security-group-name myec2group \ --ec2-security-group-owner-id 987654321021

For Windows:

 aws rds authorize-db-security-group-ingress ^ --db-security-group-name default ^ --ec2-security-group-name myec2group ^ --ec2-security-group-owner-id 987654321021

The command should output a result similar to the following:

 SECGROUP Name Description SECGROUP default default EC2-SECGROUP myec2group 987654321021 authorizing

API

To allow network access for the Amazon EC2 security group, call this Amazon RDS API function, http://docs.aws.amazon.com//AmazonRDS/latest/APIReference/API_AuthorizeDBSecurityGroupIngress.htmlAuthorizeDBSecurityGroupIngress with the following parameters:

 EC2SecurityGroupName = myec2group EC2SecurityGroupOwnerId = 987654321021

Example

 https://rds.amazonaws.com/ ?Action=AuthorizeDBSecurityGroupIngress &EC2SecurityGroupOwnerId=987654321021 &EC2SecurityGroupName=myec2group &Version=2009-10-16 &SignatureVersion=2 &SignatureMethod=HmacSHA256 &Timestamp=2009-10-22T17%3A10%3A50.274Z &AWSAccessKeyId=<AWS Access Key ID> &Signature=<Signature>

Link to the resource:

+3
source

Check if the following actions are performed.

  • Create a VPC security group (for example, "sg-appsrv1") and define inbound rules that use the expression as the source of the client IP address. This security group allows your client application to connect to EC2 instances in the VPC that uses this security group.
  • Create an EC2 instance for the application and add the EC2 instance to the VPC security group ("sg-appsrv1") that you created in the previous step. The EC2 instance in the VPC shares the VPC security group with the database instance.
  • Create a second VPC security group (for example, "sg-dbsrv1") and create a new rule by specifying the created VPC security group in step 1 ("sg-appsrv1") as the source.
  • Create a new DB instance and add the DB instance to the VPC security. group ("sg-dbsrv1") that you created in the previous step. When you create the instance, use the same port number as the one specified for the VPC security rule ("sg-dbsrv1") that you created in step 3.

Link: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html#Overview.RDSSecurityGroups.Scenarios

0
source

By default, RDS does not allow any connection that is not specified in the security group (SG). You can allow based on the CIDR address or Amazon account number, which will allow any EC2 under this account to access it.

but also check:

  • Are the appropriate settings appropriate for the subnets?
  • Is part of the subnet part of a routing group that seems to be configured correctly (specified Internet gateway, etc.?)
  • Does RDS talk about accessibility?
  • And of course, check the RDS security group and EC2 security group
    • Do not forget that your actual source IP address can be an internal IP address (when accessing the internal via VPC) or an external IP address (which can be a router IP address or an instance of an instance of EC2 that is different from its load balancing / Elastic IP) - for troubleshooting you can try to allow access to all IP addresses and ports.

(The routing group was my problem: when creating a new subnet, I forgot to add it to the routing group with the gateway.)

0
source

Source: https://habr.com/ru/post/1012372/

More articles:


All Articles