I have a application on elastic beanstalk single instance ( we have not used loadblancer ). And we also have our newly created RDS ( rds created separately, not with elastic beanstalk ). Both are in same VPC but different security group.
Now as per this tutorial from aws - check here. I have added elastic beanstalks security group to rds's group as inbound rule. Now the documentation asks to do the same on elastic beanstalk. But the problem is that, if i apply the configuration changes then it cause to terminate the instance and recreate the instance.
Am not bothering about recreating, but the problem is that it deletes all installed repos and configuration ( certbot, and other repos ). Its not good we believe.
So is there any way to connect this without adding RDS security group to elastic beanstalk security group without terminating and recreating the instance ?
Should i edit elastic beanstalks security group and add Postgres inbound rule - like i did with rds ? Please advice.
Related
It seems something has changed with the Elastic Beanstalk Security Group handling, tonight at UTC 00:00 the webserver lost the connection with the RDS.
I logged in to the EC2 console, everything looks good, the security group that belongs to the RDS instance has an Inbound rule that accepts MySql port to the security group that's been selected to the Elastic Beanstalk config.
When I set the RDS Security Group Inbound Rule to Anywhere the webserver and the RDS server can connect. When I add the rule back for the EB's security group the webserver can't connect to the RDS anymore.
This has been worked for years, nothing has changed, it just doesn't work anymore and I can't find the solution.
Any suggestions?
I have an elastic beanstalk application connected to RDS, and at random times it terminates the current instance, creates a new instance and that makes it lose connection to the database. How can I solve this issue?
For the security group attached to the RDS server, in the "Source" field, instead of specifying the IP address of the current Elastic Beanstalk server which is subject to change, specify the security group ID that Elastic Beanstalk is assigning to the servers it creates.
This way any EC2 server created by Elastic Beanstalk will be granted access to the RDS instance because the EC2 server will belong to a security group that has been granted access by the RDS security group.
This might be a duplicate of this post, but I wanted a separate question for my specific situation. Because none of the found answers on Stackoverflow have helped me so far.
I created an Elastic Beanstalk instance a while ago, complete with RDS instance, by following along with the Setup Wizard. But when I now try to upload new code to it I get the following error:
Environment update is starting.
Environment health has transitioned from Ok to Info. Application
update in progress (running for 2 seconds).
Service:AmazonCloudFormation, Message:Stack named
'awseb-e-gmz62hycax-stack' aborted operation. Current state:
'UPDATE_ROLLBACK_IN_PROGRESS' Reason: null
Updating RDS database named: xxxxxxxxxxxxxx failed Reason: DB Security
Groups can no longer be associated with this DB Instance. Use VPC
Security Groups instead.
In the Configuration section of the Elastic Beanstalk, under Security or Database I can't find any setting for DB Security Groups.
If I go to the RDS instance that this Elastic Beanstalk is using, under the Security group rules I see two Security Group - Inbound rules.
One with a name like:
awseb-e-abcde12345-stack-AWSEBSecurityGroup-123456ABCDE (sg-1234abcd)
And the other with a name like:
rds-awseb-e-abcde12345-stack-awsebrdsdbsecuritygroup-1234567abcdef-abcd (sg-4321dcba)
And the rest is all: CIDR/IP - Inbound.
Am I to remove/replace these Security Group - Inbound rules with VPC rules? Do I need to completely build a new Elastic Beanstalk, with other rules? And especially how to do this.
Also, all the security groups associated with this elastic beanstalk and RDS appear in the Security Groups section of the VPC Dashboard: https://eu-west-1.console.aws.amazon.com/vpc/home?region=eu-west-1#securityGroups:.
I am at a loss here. It feels like this should be very straightforward, since I created this with the Setup Wizard from AWS, but I can't figure it out. Anyone with some idea, please comment or answer, thanks!
The error clearly says, DB Security Groups can no longer be associated with this DB Instance.
Earlier in RDS, they were using a separate security group called DB Security group. Now everything moved to VPC security group. If you are using older AWS account, still you can see the DB security groups, but its not working now. So use VPC security group instead.
Best practice:
Launching RDS via Elastic Beanstalk or Cloudformation is not a good practice (particularly for production), because when you delete the CF template it'll remove all of your resources including the DB. And Beanstalk also will do the same on the new deployment.
I have an RDS database running (postgres) that I'm now trying to connect to an Elastic Beanstalk application. The connection times out.
I am guessing this has something to do with the VPC and security groups, but AWS continues to confuse me here and I'm kind of new to this. I'm trying follow this guide: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html?icmpid=docs_elasticbeanstalk_console
When I try to add the rds_launch_wizard security group to the EB instance, it tells me that the security group is not found. rds_launch_wizard is in a VPC, whereas the EB application is not.
I have tried going into the EB configuration, choosing Instance and trying to add a security group:
By name, this pops up an error saying that "I cannot add groups by name".
By group ID, this tells me group sg-xxxxx not found.
Similarly, I can't add the EB security group to RDS, as this is also not found
How do I get the two talking to each other?
You have two options:
Move the EB environment into the VPC
Enable ClassicLink so that your EC2 Classic instances inside your EB environment can talk to the VPC.
ClassicLink is the obvious quick fix, but I think you will eventually want to move everything into a VPC. The VPC is more secure and there are quite a few features and services now on AWS that require a VPC.
When creating an application in Amazon Elastic Beanstalk, you have the option of creating a new Amazon RDS database instance. Is it possible to associate an existing RDS database instance with an Elastic Beanstalk application?
If you want to share an RDS instance between multiple applications, the best thing to do is set that up independent of your beanstalk application.
Set up privs for each application and configure each application to use the RDS instance.
You will probably have to manually configure your application security group to access the database instance.
I was facing same issue and fixed using following steps :
1) Go to EC2 instance and note your security group example "sg-121212121212"
2) Go to RDS Security Group ad=nd inbound traffic
3) Edit rule select all traffic and add your new ebs security group "sg-121212121212"
Hope it will helpful
A single database can only be used with one Elastic Beanstalk environment. Although, it can be moved between environments.
Also important to remember that a clone operation doesn't clone the database.