Amazon Security Group - Cannot Connect from within Other Security Group

1
votes

My security group inbound rules are as follows:

WebAccess

HTTP TCP 80 0.0.0.0/0

SSH TCP 22 0.0.0.0/0

and

DB

MYSQL/Aurora TCP 3306 sg-0252186b (WebAccess)

My instances are setup like this:

Instance 1, web server - security group WebAccess

Instance 2, web server - security group WebAccess

Instance 3, DB server - security group DB

If my understanding is correct, anyone should be able to access HTTP and SSH on my web servers, and only a member instance of WebAccess group should be able to access the DB server. However, the DB server is not accessible from the web servers.

When I change the 3306 rule to be open to allow inbound from anyone, I can access it fine (also from my local computer, as expected).

Please could somebody help me understand where I'm going wrong?

Thanks, Chris

1
amazon-web-servicesamazon-ec2aws-security-group
It sounds like you've made the DB publicly accessible, and the EC2 instances are trying to go out to the internet and back into AWS to access the DB. Try performing an nslookup of the DB hostname on one of the EC2 instances and see if it resolves to an IP address in your VPC address range, or if it resolves to a public IP.Mark B
Also try to add the internal ip addresses of the instances to the DB security group, explicitly. This would be for troubleshooting mainly.Rodrigo M
As per @Mark B, how are you identifying the DB Server to your applications? Are you using a DNS name or an IP address? Can you show it to us? Are all instances in the same VPC? Is the DB server provided by Amazon RDS, or did you create it yourself on Amazon EC2?John Rotenstein
@MarkB I've now done: hostname on my DB server to get the hostname, then nslookup <hostname value> on my Web Server. This has given my private IP adress as the address, as specified in my EC2 Console.xog
You are correct, I was using the public IP elastic IP address which wasn't correct. I was under the impression that private IPs change also, but it appears it doesn't (I've just rebooted the instance and it's the same). I will use this private IP in the config on my Web Server. Thanks for your help all.xog

1 Answers

0
votes

When you change the security-group to 0.0.0.0/0 and you are able to access the DB later on from your desktop that means your instance has been enabled for public access (i.e. having a public IP). When you connect to such a instance traffic leaves the subnet to the internet and comes back in. Because of that, the traffic no longer originates on your web instance but from the internet. You would need to use the web instances public IPs in that case.

Also please note, the way you have worded your question/comments, suggest you use the IP of the RDS instead of the hostname. This works if you use a single AZ RDS deployment. It won't work if you use multi-AZ or convert this RDS instance to multi-AZ (HA setup). The reason is, that during a failover AWS updates the DNS name to point to the new master. If your application is using an IP no fail over will occur.

Even worse: if you use an IP and single-AZ now but later decide to upgrade to a multi-AZ your application will continue to work until the first failover (most likely due to maintenance)