All geek questions in one place

Why is the CIDR / IP group in the database security group different from the EPR class?

I have an EC2 instance that can connect to my RDS instance, but its elastic IP address does not appear in the white IP address database security group.

How can it be?

I ask because I created a new instance that I also want to whitelist and just enter its elastic IP, it doesn't seem like a way to do something because none of the other servers has its own elastic IP address.

Thanks in advance,

+6
source share
1 answer

There may be two reasons:

Traffic sources

Security group rules do not have to specify IP addresses as traffic sources, and also regularly refer to other security groups:

The source can be an individual IP address (203.0.113.1), a range of addresses (for example, 203.0.113.0/24), or EC2 security groups . A security group can be another group in your AWS account, a group in another AWS account, or the security group itself.

By setting a security group as the source , you allow incoming traffic from all instances belonging to the original security group . [...] You can specify a different security group in your account if you are creating a three-tier web service (see Creating a three-tier web service).

[emphasis mine]

Therefore, the DB security group of your Amazon RDS instance can refer to the EC2 security group used for your Amazon EC2 , implying appropriate permissions. See My Answer on AWS - Configuring Access to an EC2 Instance from a Beanstalk Application for more information on this concept / approach.

Public and Private IP Addresses

You can see the effect of a little-known, but nevertheless important and very useful feature of the AWS DNS infrastructure, see the Public and Private Addresses section on the Using Instance IP Addresses page:

Amazon EC2 also provides an internal DNS name and a public DNS name that maps to private and public IP addresses, respectively. The internal DNS name can only be resolved on Amazon EC2. Public DNS name resolves the public IP address outside the Amazon EC2 network and the private IP address on the Amazon EC2 network . [emphasis mine]

That is, it resolves public DNS (e.g. ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com) to a private IP address when you use it on an Amazon EC2 network, and a public or flexible IP address when using it outside the Amazon EC2 network.

Accordingly, different AWS products are usually connected to each other via their private IP addresses, and not external, for a variety of reasons, and most importantly on the speed and cost of the network (see my answer to AWS EC2. Elastic use of IPs bandwidth and boards for details )

Therefore, the database security group of your Amazon RDS instance can refer to the private IP address of your Amazon EC2 instance, implying appropriate permissions accordingly.

+13
source

Source: https://habr.com/ru/post/914820/

More articles:


All Articles