Amazon Web Services EC2 to RDS Connectivity with VPC

6
votes

I have been trying to set up an AWS Free Tier account using an EC2 instance and an RDS database running MySQL. Unfortunately, I cannot figure out how to grant access to the database from the EC2 instance. I have read all of the AWS documentation, but it is unfortunately out of date as are all the questions posted on StackOverflow. All of the documentation states that I should go to the Security Groups section of the RDS Dashboard. However, when I do so, this is what I'm confronted with.

enter image description here

** I would have included the image but I don't have the reputation for it.

Okay, I understand that I am not using the EC2-Classic platform and that I must make these changes to the Security Group in the EC2 Dashboard, but how?! I do not want public access to port 3306, I only want the EC2 instance to be able to communicate with the RDS database on a private subnet. Any help would be greatly appreciated.

The links to "AWS Documentation on Supported Platforms" and "Using RDS in VPC" are not helpful. They are outdated and also keep referring me back to Security Groups under the RDS Dashboard, which then only shows me this message.

1
amazon-ec2amazon-rdsamazon-vpc

1 Answers

16
votes

A rule of thumb: When you are setting up resources in VPC, use ONLY VPC Security Groups. The individual RDS, Redshift...etc. security groups work only in case of ec2-classic. Meaning, when you are not setting up things in VPC.

Go to the VPC console and then on the left hand side menu, you will find security groups. These are the security groups which should control access to your AWS resources deployed inside a VPC.

I can't elaborate much as I am unaware of your VPC configuration and which subnet (public/private) you are setting these up.

Example

Here is the hypothetical scenario...

VPC: 10.0.0.0/16
1 public subnet: 10.0.0.0/24
1 Private Subnet: 10.0.1.0/24
  • Assume you put your EC2 instance in Public Subnet
  • Assume you put your RDS instance in Private Subnet
  • And you want EC2 instance be accessible on 80,443 from the world and RDS instance should be accessible only via EC2 instance.

So, these are the security groups settings:

for EC2 instance Security group:

Inbound: port 80, 443 : from 0.0.0.0/0
Outbound: port 3306 : to 10.0.1.0/24

For RDS security group:

Inbound: port 3306: from 10.0.0.0/24

Explanation

Inbound: port 80, 443 : from 0.0.0.0/0

This will allow EC2 instance be accessible on port 80 and 443 from the Internet.

Outbound: port 3306 : to 10.0.1.0/24

This allows EC2 instance to send the traffic on port 3306 only to the private subnet which is 10.0.1.0/24

Inbound: port 3306: from 10.0.0.0/24

This allows the RDS instance to accept traffic on port 3306 from the public subnet which is 10.0.0.0/24. Your EC2 instance resides in Public subnet so inherently RDS will accept traffic from Ec2 instance on port 3306

NOTE: Above setup presumes that you have set your Routing tables for the public/private subnets accordingly.

Hope this helps.