Able to ping EC2 from on-premises through VPN. But, unable to ping DMS replication instance

1
votes

I have setup a VPN and able to ping the Private IP of EC2 instance from on-premises and vice versa. However, I am unable to the ping the Private IP of DMS Replication Instance.

I have created an endpoint pointing DB in EC2. Endpoint test connection succeeds. However, endpoint test connection fails for DB in on-premises.

The EC2 and DMS Replication Instance use the same Subnet, Security Group etc., The details are given in the image below.

enter image description here

May I know

1) why the DMS instance is not communicating with on-premises (and vice-versa)

2) why EC2 works fine in VPN but not DMS instance?

EDIT:

Details of Security Group associated with the DMS instance:

  • vpc - the same default vpc used by EC2
  • inbound rules - all traffic, all protocol, all port range, source = 192.168.0.0/24
  • outbound rules - all traffic, all protocol, all port range, source = 0.0.0.0/0

Route table:

  • destination - 10.0.0.0/16, target = local
  • destination - 0.0.0.0/0, target = internet gateway
  • destination - 192.168.0.0/24, target = virtual private gateway used in VPN

This is the error message I get when I try to test the DMS DB endpoint connection:

Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to connect Network error has occurred, Application-Detailed-Message: RetCode: SQL_ERROR SqlState: HYT00 NativeError: 0 Message: [unixODBC][Microsoft][ODBC Driver 13 for SQL Server]Login timeout expired ODBC general error.

1
amazon-ec2vpndatabase-replicationaws-dms
What is your actual goal you are trying to achieve? Ping can be blocked by security groups. Rather than using ping to test connectivity, you should test the actual connectivity you wish to achieve. Presumably you are wanting to allow the DMS instance to connect with your on-premises database, is this correct? If so, please edit your question to show the Security Group associated with the DMS instance.John Rotenstein
I have edited the question as you suggestedMAK
When you connect from on-premises to the DMS instance, what is the IP address of the computer you are using to connect? I suspect it is not in the 192.168.0.0/24 range, so it is not being permitted through the security group.John Rotenstein
The IP is actually in that range. 192.168.0.104. I am able to ping this IP from EC2 and vice-versa.MAK
What is the CIDR of the VPC? If the EC2 instance can reach it, then the EC2 instance must also be in the 192.168.0.0/24 CIDR range. This might therefore be overlapping with the on-premises range if you are saying that 192.168.0.104 is on-premises.John Rotenstein

1 Answers

2
votes

You might need to describe/provide your full network topology for a more precise answer, but my best guess, based on AWS' documentation on "Network Security for AWS Database Migration Service", is that you're missing source and target database configuration:

Database endpoints must include network ACLs and security group rules that allow incoming access from the replication instance. You can achieve this using the replication instance's security group, the private IP address, the public IP address, or the NAT gateway’s public address, depending on your configuration.

Also, is this EC2 you mentioned a NAT instance? Just in case:

If your network uses a VPN tunnel, the Amazon EC2 instance acting as the NAT gateway must use a security group that has rules that allow the replication instance to send traffic through it.