So I have a primary RDS in us-east-1
& a replica in us-west-1
. Both are inside VPCs in their respective regions. I want to have one of my EC2 instances in us-east-1
connect to the replica instance.
A simple solution is to enable public access for the RDS replica and add the IP of the EC2 to its security group and it works.
But instead of allowing a static IP, I would like to allow access to the entire CIDR range of my us-east-1
VPC and also I don't want my instances to be public accessible.
To do this, I've setup a VPC peering connection between the two regions and I have added entries in the routing tables of both the VPCs to forward traffic to each other's CIDR ranges to the peering connections.
The CIRD range of the EC2 instance is 172.31.0.0/16
and I have added this to the security group of the RDS replica in the us-west-1
region. But for some reason the RDS is not reachable from my EC2.
Have I missed anything else? Thanks!
To summarize my setup:
US EAST:
- VPC CIDR:
172.31.0.0/16
- Route Table entry: Destination
10.0.0.0/16
routes to the peering connection ofus-west-1
VPC. - EC2 IP:
172.31.5.234
US WEST:
VPC CIDR:
10.0.0.0/16
Route Table entry: Destination
172.31.0.0/16
routes to the peering connection ofus-east-1
VPC.RDS:
- Public Accessible: Yes
- Security Group: Allow connections from
172.31.0.0/16
sg-4e2fcf31
to the inbound source of your database (RDS) security group. This is the setup that I use in production, which should satisfy your requirements. – Ryan Charmley