I'm trying to mount an AWS EFS file system to an EC2 instance that is in another account. I followed the below steps:
Account A:
VPC-A: 172.31.0.0/16
Created EFS in the VPC
Security group-A: Allows all inbound traffic from VPC-B(10.210.0.0/16) in Account B, also allows all outbound traffic to the internet. And this security group is attached to the EFS file system.
Accepted VPC peering connection request from VPC-B(10.210.0.0/16)
Route table-A: contains the route to VPC-B(10.210.0.0/16) via peering connection
Account B:
VPC-B: 10.210.0.0/16
Launched an EC2 instance(10.210.0.165) in a private subnet in VPC-B
Security group-B: Allows both inbound and outbound traffic from/to VPC-A(172.31.0.0/16)
Created a VPC Peering connection with VPC-A
Route table-B: contains the route to VPC-A(172.31.0.0/16) via peering connection
Note: I made sure that the region and availability zones of both the EFS in account A and EC2 instance in account B are the same. Also connecting to the EFS endpoint in the correct AZ using the mount by IP option
Still, I'm getting "mount.nfs4: Connection timed out error"
Please help!
Edit:
Just to test the setup and connectivity, I launched one EC2 instance in account A and ping worked from the EC2 instance in account B.
Related
My AWS Lambda function times out when it ties to connect to an RDS instance in another VPC. The VPCs are peered.
Things I have checked:
Lambda is inside the correct VPC
RDS is inside the other VPC
RDS exists in subnets that are peered
VPC Peering is "accepted"
Lambda security group has ingress permission on correct port (5432) to RDS security group
Lambda security group has egress permission to anywhere on any port
Route table entries exists from Lambda VPC subnets to peering
Route table entries exist from RDS VPC subnets to peering
What else can I check / leverage to fix this connectivity issue?
Update
DNS hostnames and DNS resolution are enabled for both VPCs
Update
I tried the following:
Create EC2 instance on same subnet as Lambda
Assign lambda SG to the EC2
SSH connect to EC2
telnet to RDS:
telnet rds.xxxxxxxxxx.eu-west-2.rds.amazonaws.com 5432
Trying 10.11.65.225...
Connected to rds.xxxxxxxxxx.eu-west-2.rds.amazonaws.com.
Escape character is '^]'.
^CConnection closed by foreign host.
So the EC2 can connect. Therefore the issue must be with the lambda.
What can I try next?
The issue in my case (maybe yours too?) was that the query was timing out, not the connection attempt. You can test this by changing the query to SELECT 1 AS x or similar. The solution is to optimize the query so that it can run in reasonable time.
The trick of launching an EC2 with similar settings to the Lambda and connecting via SSH is a good one.
I have two AWS accounts (A and B). Each of them has a VPC with no overlapping CIDR blocks, both are in the same region. I have successfully created a VPC peering connection between them (which is active). The requester and receiver both allow remote vpc dns resolution.
I have specified in each VPC table routes the other's VPC cidr block as a destination with the peering connection as a target.
I have an EC2 instance running in a public subnet inside the VPCA of AccountA, attached to a security group SecurityGroupA. SecurityGroupA enables inbound from all sources in the default security group of VPCA, as well as inbound from AccountBId/SecurityGroupB, and all outbounds.
I have a RDS postgres instance running in the VPCB of AccountB, attached to a security group SecurityGroupB. SecurityGroupB enables inbound TCP on port 5432 (postgres default port) from AccountAId/SecurityGroupAId.
When running aws ec2 describe-security-group-references --group-id SecurityGorupAId, I get
{
"SecurityGroupReferenceSet": [
{
"GroupId": "SecurityGroupAId",
"ReferencingVpcId": "VPCBId",
"VpcPeeringConnectionId": "pcx-XXXXXXXXXXXXXXXXX"
}
]
}
Which seems to indicate that the security group is correctly referenced. But when trying to connect from the EC2 instance to the RDS instance, I'm getting a connection timed out error.
I have set up a documentdb cluster in us-east-1. I am attempting to connect via an EC2 instance in us-west-1. I have set up connection peering with the VPC in us-west-1 having a CIDR of 172.31.0.0/16 and the VPC in us-east-1 having a CIDR of 172.32.0.0/16. Connection peering is established and active. When I attempt to
connect to the documentdb from mongo shell from the EC2 instance, I get the exception:
connecting to: mongodb://cluster-name.cluster-uniquecode.us-east-1.docdb.amazonaws.com:27017/?gssapiServiceName=mongodb
2020-07-15T00:50:16.004+0000 W NETWORK https://forums.aws.amazon.com/ Failed to connect to 172.32.83.229:27017 after 5000ms milliseconds, giving up.
2020-07-15T00:50:16.004+0000 E QUERY https://forums.aws.amazon.com/ Error: couldn't connect to server cluster-name.cluster-uniquecode.us-east-1.docdb.amazonaws.com:27017, connection attempt failed :
connect#src/mongo/shell/mongo.js:263:13
#(connect):1:6
exception: connect failed
The security group attached to the us-east-1 VPC is set to allow all IP addresses and all ports, so that doesn't seem to be the issue.
So.... why the the failure to connect? Anything I missed?
VPC peering does not implictly handle reverse-path routes for return traffic, so tou need to add routes to both VPCs.
You need routes in the tables of VPC A sending b.b.b.b/x over the peering connection and you need routes in VPC B to send a.a.a.a/y traffic over the peering connection, regardless of which end originates the traffic.
The owner of the peer VPC must also complete these steps to add a route to direct traffic back to your VPC through the VPC peering connection.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html
I would take a look to the route tables in VPC for us-west-1. Make sure there is a record that sends 172.32.0.0/16 through the vpc peering.
I am new to AWS and not a network admin, mere a developer, and need your help.
I am unable to connect to my aws RDS (mysql) from my lightsail ubuntu instance. when trying to connect, it just wait for a minute and then fails.
I am unable to ping my RDS either.
here is the setup
the lightsail instance has vpc peering enabled in lon-zone-A
I have created a mysql RDS instance in aws and used default vpc peering. mysql is restricted to VPC and using default security group which has a rule for inbound - All traffic for default security group source
the default VPC have 2 subnets in CIDR 172.31.16.0/20 and 172.31.0.0/16 for two availability zone A and B.
In route table of the subnet, i have
172.26.0.0/16 as destination and target to vpc peering which further has
Requester VPC CIDRs 172.26.0.0/16
Accepter VPC CIDRs 172.31.0.0/16
My lightsail instance has private IP 172.26.15.xxx and in lon-Zone-A
When i ping my mysql intance, i get ip 172.31.10.9
command using to connect mysql -h xxxxxx.xxxxx.eu-west-2.rds.amazonaws.com -P 3306 -u db_master_username -p
To enable access from AWS Lightsail to AWS RDS you can accomplish in two separate ways:
Method 1.
Make RDS publicly accessible.
In RDS pick you instance and click 'Modify'. In section 'Network & Security' choose 'Publicly accessible' to Yes. Apply settings and wait until they are effective. Your RDS has public IP now.
Add your Lightsail public IP to the RDS security group inbound traffic.
Use CIDR: x.x.x.x/32 where x.x.x.x is your Lightsail instance public IP.
Method 2. (better, RDS with no public IP)
Make sure you Lightsail instance is in the same Availability Zone as RDS.
Set up VPC peering beetween Lightsail VPC and Amazon VPC.
Add your Lightsail local IP to the RDS security group inbound traffic.
I managed to solve. it.
I had to add my lightsail instance IP CIDR in the RDS inbound rule as mysql/aurora TCP allowed traffic.
:-)
We have two AWS accounts:
Account A have a VPC with 172.31.21.0/16 subnet.
Account B have 3 VPCs:
VPC 1 : 172.31.0.0/16 Default
VPC 2 : 172.32.0.0/16
VPC 3 : 172.30.0.0/16
We have an EC2 on Account A's VPC, that needs to talk to RDS(MySQL) on Account B's VPC 2 but I cannot connect the RDS from EC2 on Account A.
Is the problem caused by Account B's VPC 1 which is using the same subnet as Account A's VPC?
If so, how can we resolve the issue?
Do you have 172.31.21.0/16 or 172.31.21.0/24? Having the first scenario is useless. Did you set up the VPC peering connection and tried to add routes? I believe you will have problem with network range overlapping. Also VPC peering connection will work if you're using the same region in both accounts.
presumably you already have a peering connection ( a pcx ) for A -> B
So either
1) alter the addressing on Account B VPC 1 so that it doesn't overlap with Account A VPC
2) add an explict route for Account B VPC 2 route table sending 172.31.21.0/16 to the pcx. But in this case routing to Account B VPC1 from VPC2 will be broken for some addresses
If only 1 server connection is required, you can setup a EC2 instance and attach to EIP. Then use that EC2 as SSH tunnel that connect to the RDS. Then another VPC can connect to the EC2 secure tunnel.
(Background info)
VPC are virtually isolated, Even within the same AWS account.
Connecting VPC A to VPC B is NOT POSSIBLE, unless you
i. Setup AWS VPC PEER. or
ii. assign EIP to the resource you want to connect, then everyone connect through the public IP, or
iii. Create some sort of VPN routing.
However, in case of i,iii because both your account A and B using 172.31.X.X/16, VPC peering will NOT works, even VPN setup will failed due to same IP network subnet used.
Nevertheless, you may use NAT to share particular resources using VPN, but it will be a "limited VPN".
In addition, you cannot use AWS NAT gateway features for NAT, because that services is only mean for NAT connection from VPC private network to internet.
You can checkout AWS this link for example of multiple VPC peer connection.