Connect to RDS in a different region from EC2 instance

2
votes

So I have a primary RDS in us-east-1 & a replica in us-west-1. Both are inside VPCs in their respective regions. I want to have one of my EC2 instances in us-east-1 connect to the replica instance.

A simple solution is to enable public access for the RDS replica and add the IP of the EC2 to its security group and it works.

But instead of allowing a static IP, I would like to allow access to the entire CIDR range of my us-east-1 VPC and also I don't want my instances to be public accessible.

To do this, I've setup a VPC peering connection between the two regions and I have added entries in the routing tables of both the VPCs to forward traffic to each other's CIDR ranges to the peering connections.

The CIRD range of the EC2 instance is 172.31.0.0/16 and I have added this to the security group of the RDS replica in the us-west-1 region. But for some reason the RDS is not reachable from my EC2.

Have I missed anything else? Thanks!

To summarize my setup:

US EAST:

  • VPC CIDR: 172.31.0.0/16
  • Route Table entry: Destination 10.0.0.0/16 routes to the peering connection of us-west-1 VPC.
  • EC2 IP: 172.31.5.234

US WEST:

  • VPC CIDR: 10.0.0.0/16

  • Route Table entry: Destination 172.31.0.0/16 routes to the peering connection of us-east-1 VPC.

  • RDS:

    • Public Accessible: Yes
    • Security Group: Allow connections from 172.31.0.0/16
1
amazon-web-servicesamazon-rdsvpcaws-security-group
You may be able to do this by setting the security group of your EC2 as the source for an inbound rule on the security group for your RDS. This will open up the communication between your RDS and EC2 through the security group, with no need for IPRyan Charmley
For clarity, you add the Group ID of your application security group, such as: sg-4e2fcf31 to the inbound source of your database (RDS) security group. This is the setup that I use in production, which should satisfy your requirements.Ryan Charmley
Does this work even if the VPCs are in different regions?Steve Robinson
@RyanCharmley nope, just tried that it says "Could not update your security group rules (No changes were made): The security group does not exist"Steve Robinson
Yea, I think if you do not allow public connections, that it is required for your application and database servers to exist on the same VPC. Would also be interested to know if there is another way..Ryan Charmley

1 Answers

4
votes

To reproduce your situation, I did the following:

In us-east-1:

  • Created a VPC in us-east-1 with a CIDR of 172.31.0.0/16 using the "VPC with Public and Private Subnets" VPC Wizard
  • Launched an Amazon EC2 Linux instance in the public subnet

In us-west-1:

  • Created a VPC in us-west-1 with a CIDR of 10.0.0.0/16 using the "VPC with Public and Private Subnets" VPC Wizard
  • Added an additional private subnet to allow creation of an Amazon RDS Subnet Group that uses multiple AZs
  • Created an RDS Subnet Group across the two private subnets
  • Launched an Amazon RDS MySQL database in the private subnet with Publicly accessible = No

Setup peering:

  • In us-east-1, created a Peering Connection Request to the VPC in us-west-1
  • In us-west-1, accepted the Peering Request

Configure routing:

  • In us-east-1, configured the Public Route Table (used by the EC2 instance) to route 10.0.0.0/16 traffic to the peered VPC
  • In us-west-1, configured the Private Route Table (used by the RDS instance) to route 172.31.0.0/16 traffic to the peered VPC

Security Groups:

  • In us-east-1, created a security group (App-SG) that allows inbound port 22 connections from 0.0.0.0/0. Associated it to the EC2 instance.
  • In us-west-1, created a security group (RDS-SG) that allows inbound port 3306 connections from 10.0.0.0/16 (which is the other side of the peering connection). Associated it to the RDS instance.

Test:

  • Used ssh to connect to the EC2 instance in us-east-1
  • Installed mysql client (sudo yum install mysql)
  • Connected to mysql with:
mysql -u master -p -h xxx.yyy.us-west-1.rds.amazonaws.com

This successfully connected to the RDS database across the peering connection.

FYI, the DNS name of the database resolved to 10.0.2.40 (which is in the CIDR range of the us-west-1 VPC). This DNS resolution worked from both VPCs.

In summary, the important bits are:

  • Establish a 2-way peering connection
  • Configure the security group on the RDS instance to permit inbound connections from the CIDR of the peered VPC
  • No need to make the database publicly accessible