I have a RDS databse with status as Running however it is now showing in my EC2 Security Groups. The only instances showing are:
default VPC security group
Securtiy Group for Elastic Beanstalk
Elastic Beanstalk created security group
Why is the RDS database not showing in the EC2 Security Groups?
RDS settings:
enter image description here
The typical security setup would be:
A Security Group on the Amazon EC2 instances created by Elastic Beanstalk (App-SG) with adequate inbound rules for users to access the app (or perhaps from a Load Balancer -- I'll assume you have that configured correctly)
A Security Group on the Amazon RDS database (DB-SG) with an inbound rule that permits access from App-SG on the database port
That is, DB-SG should specifically reference the App-SG in its inbound rules. This will give permission for any of the EC2 instances to connect to the database.
Feel free to create new Security Groups with appropriate names and rules, then associate those Security Groups with the EC2 instances (via Elastic Beanstalk) and the database. You do not need to keep using the Default security group.
Related
I have an AWS Security group that I use for my RDS Instances.
I also have an AWS Security group that I use for my EC2 Instances.
I have it set up so the security group for the EC2 instances is used as Ingress for the security group I use for the RDS instances.
From my EC2 instances, I can use mysql commands to access the RDS instances without a problem.
However, if I try to use a PHP Script with MySQLi to access the RDS instance, it fails to connect.
If I add the actual AWS IP address of the EC2 instance as Ingress to the RDS Security group, then the PHP script using MySQLi works fine.
Any idea why this is the case?
More details:
Both RDS and EC2 security groups are on the same VPC.
Software is connecting fine when the EC2 private address is added with no other changes.
This is why the behavior is puzzling
The typical security configuration would be:
A Security Group on the Amazon EC2 instance (App-SG) with desired Inbound permissions and default 'Allow All' Outbound permissions
A Security Group on the Amazon RDS database (DB-SG) that permits inbound access on port 3306 (MySQL) from App-SG
That is, the DB-SG specifically references App-SG in its Inbound rules.
The software on the EC2 instance should refer to the RDS database via its DNS Name, which will resolve to a private IP address (assuming that the EC2 instance and RDS database are in the same VPC).
If your configuration works with the mysql command on the EC2 instance, then it should also work for MySQLi access since they would both be connecting to the same destination DNS name on the same port (3306).
I have hosted my magento2 site in AWS auto-scaling and using Redis/Elasticache, RDS. How I can ensure my Redis and RDS are accessible only from dynamic instances creating in auto-scaling.
You can put Redis/Elasticache, RDS inside a security group and configure its Security Group Inbound rule to only allow the traffic from Security Group of Instances from AWS AutoScaling.
Something like below shown in the picture. Configuring Security Group's inbound rule to allow traffic from different Security Group which will restrict all the other traffic to enter except from the configured Security Group.
More details can be found below :
Security Group for ElastiCache
RDS Security Group
I have set an Amazon EC2 instance and an Amazon RDS instance. These two instances are both available.
I tried to connect to the RDS instance from my localhost, and I succeeded:
(I'm sorry about the picture's content is in Chinese, but the content in the red border means "success".)
In a word, when I used my localhost, I can connect to the RDS instance that I just set successfully.
But when I tried to use the EC2 instance to connect the same RDS instance with oracle sqldeveloper, I CANNOT EVEN CONNECT TO IT.
The error message is:
The Network Adapter could not establish the connection
How can I solve this issue?
Update:
My Security Group is:
The security groups match the AWS EC2 instance`s PRIVATE IP.
This answer is not necessarily a fix for your situation, but rather a recommendation about how to configure a security group.
Rather than using IP addresses within a security group, it is better to refer to another security group.
The configuration would be:
EC2-SG security group: Attach this to your EC2 instance. Allow access on desired ports (eg port 80).
RDS-SG security group: Attach this to your RDS instance. Allow access from EC2-SG- on desired port (eg port 3306).
This way, the RDS-SG will permit access from any EC2 instance associated with the EC2-SG security group. This will continue to work even if IP addresses change or additional EC2 instances are launched with the same EC2-SG.
I am trying to deploy Spring Boot Application with AWS Elastic Beanstalk. Instead of using default settings for the environment, I modified something under "VPC". After picking availability zone and one of the security groups for the VPC, I created the environment.
However when I looked at the instance detail after it is created, I noticed it is tied to two security groups. Other than the one I chose sg-98c031f3, it has another newly-generated security group sg-72b94919.
Why does it create two security groups for the environment when I selected only one group? Is there a way to remove one of them since one security group is enough to handle all the rules.
Elastic Beanstalk will always create and utilize one security group that gets attached to the EC2 instance. This group is managed by Elastic Beanstalk and it's primary purpose is to allow inbound connections from your load balancer.
(It also has a secondary purpose of allowing inbound SSH connections if you have selected a keypair for your EC2 instances)
Elastic Beanstalk allows you to select 0 or more additional security groups to attach to your EC2 instances. Note that you do not need to select any security groups if you don't want to. This is so that you can add additional inbound/outbound rules for your EC2 instances without needing to modify the EB-managed one.
Some reasons why you might want to add additional security groups:
To allow more inbound ports (for example, RDP)
To allow outbound network connections (for example, NTP)
To act as sources and targets for other security group rules (for example, allow connections from your selected security group into your RDS instances)
I have an Amazon Beanstalk Load Balancer setup which adds / removes ec2 servers as needed. The security group for this load balancer is called prod-sc.
I also have an Amazon EC2 instance using security group elasticsearch-sc.
Now I need elasticsearch-sc to allow port 9200 to be accessed from prod-sc
However everytime I try to configure this in the elasticsearch-sc by providing the prod-sc Group ID, I get an error saying
Could not update your security group rules (No changes were made): You may not define rules between a VPC group and a non-VPC group.
How can I give prod-sc access to elasticsearch-sc?
Can you try creating elasticsearch-sc as a VPC security group?
Read the guide for more details.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
http://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html