Why is this RDS security group not letting my EC2 security group connect?

0
votes

I have an AWS RDS with this security group:

MySQL/Aurora (3306)  TCP (6) 3306 sg-3sf456

Where sg-3sf456 is the security group surrounding my EC2 cluster.

My EC2 cluster cannot connect to the rds. However if I add a second rule to the RDS security group that is the IP Address of one of my EC2 machines and I try to connect to the RDS from that particular machine, it allows me in?

What am I missing?

Edit: here is the inbound rules for my EC2 cluster:

HTTP (80)    TCP (6)    80    0.0.0.0/0
HTTPS (443)    TCP (6)    443    0.0.0.0/0

Outbound, everything is allowed.

1
amazon-web-servicesamazon-ec2
Are your RDS instance and EC2 instances all in the same VPC? When you allow the EC2 instance by IP address, are you using the private IP address or the public IP address?Matt Houser
Yes they are in the same VPC. That's a good question, I am allowing the EC2 instance in by public IP address. I just tried now with private address the rds connection fails. Is this a clue?Hard worker
If the public IP works, then the connection is going out into the outside world and coming back in. In order for security groups to work, the connection must be made internally inside the VPC. Make sure you're referencing your RDS instance by it's DNS name and that resolves to it's internal IP address, not it's public IP address.Matt Houser

1 Answers

1
votes

Your setup seems to be correct, but make sure you are using the private IP address of your RDS instance. This way, the traffic is seen as "coming from" the EC2 instance rather than from the Internet.

The best way to do this is to use the DNS name associated with your Amazon RDS instance. When this DNS name is resolved within the VPC, it will resolve to an internal IP address. If you are using your own DNS server, you will need some extra steps to determine the private IP address.

If you do not require your RDS instance to be accessible outside of the VPC, set its PubliclyAccessible parameter to No. This will only give it a private IP address.

See: Using Amazon RDS with Amazon Virtual Private Cloud (VPC)