My AWS Lambda function times out when it ties to connect to an RDS instance in another VPC. The VPCs are peered.
Things I have checked:
Lambda is inside the correct VPC
RDS is inside the other VPC
RDS exists in subnets that are peered
VPC Peering is "accepted"
Lambda security group has ingress permission on correct port (5432) to RDS security group
Lambda security group has egress permission to anywhere on any port
Route table entries exists from Lambda VPC subnets to peering
Route table entries exist from RDS VPC subnets to peering
What else can I check / leverage to fix this connectivity issue?
Update
DNS hostnames and DNS resolution are enabled for both VPCs
Update
I tried the following:
Create EC2 instance on same subnet as Lambda
Assign lambda SG to the EC2
SSH connect to EC2
telnet to RDS:
telnet rds.xxxxxxxxxx.eu-west-2.rds.amazonaws.com 5432
Trying 10.11.65.225...
Connected to rds.xxxxxxxxxx.eu-west-2.rds.amazonaws.com.
Escape character is '^]'.
^CConnection closed by foreign host.
So the EC2 can connect. Therefore the issue must be with the lambda.
What can I try next?
The issue in my case (maybe yours too?) was that the query was timing out, not the connection attempt. You can test this by changing the query to SELECT 1 AS x or similar. The solution is to optimize the query so that it can run in reasonable time.
The trick of launching an EC2 with similar settings to the Lambda and connecting via SSH is a good one.
Related
I've configured RDS with the suggested defaults and no public access.
Then I put my AppRunner instance in the same security group as RDS by creating a VPC connector. I can see the same VPC and subnets listed on both sides yet I somehow don't have a connection to RDS still (my AppRunner instance can't connect). What am I doing wrong? Isn't it enough to put them in the same security group and VPC?
I have set up a documentdb cluster in us-east-1. I am attempting to connect via an EC2 instance in us-west-1. I have set up connection peering with the VPC in us-west-1 having a CIDR of 172.31.0.0/16 and the VPC in us-east-1 having a CIDR of 172.32.0.0/16. Connection peering is established and active. When I attempt to
connect to the documentdb from mongo shell from the EC2 instance, I get the exception:
connecting to: mongodb://cluster-name.cluster-uniquecode.us-east-1.docdb.amazonaws.com:27017/?gssapiServiceName=mongodb
2020-07-15T00:50:16.004+0000 W NETWORK https://forums.aws.amazon.com/ Failed to connect to 172.32.83.229:27017 after 5000ms milliseconds, giving up.
2020-07-15T00:50:16.004+0000 E QUERY https://forums.aws.amazon.com/ Error: couldn't connect to server cluster-name.cluster-uniquecode.us-east-1.docdb.amazonaws.com:27017, connection attempt failed :
connect#src/mongo/shell/mongo.js:263:13
#(connect):1:6
exception: connect failed
The security group attached to the us-east-1 VPC is set to allow all IP addresses and all ports, so that doesn't seem to be the issue.
So.... why the the failure to connect? Anything I missed?
VPC peering does not implictly handle reverse-path routes for return traffic, so tou need to add routes to both VPCs.
You need routes in the tables of VPC A sending b.b.b.b/x over the peering connection and you need routes in VPC B to send a.a.a.a/y traffic over the peering connection, regardless of which end originates the traffic.
The owner of the peer VPC must also complete these steps to add a route to direct traffic back to your VPC through the VPC peering connection.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html
I would take a look to the route tables in VPC for us-west-1. Make sure there is a record that sends 172.32.0.0/16 through the vpc peering.
I am new to AWS and not a network admin, mere a developer, and need your help.
I am unable to connect to my aws RDS (mysql) from my lightsail ubuntu instance. when trying to connect, it just wait for a minute and then fails.
I am unable to ping my RDS either.
here is the setup
the lightsail instance has vpc peering enabled in lon-zone-A
I have created a mysql RDS instance in aws and used default vpc peering. mysql is restricted to VPC and using default security group which has a rule for inbound - All traffic for default security group source
the default VPC have 2 subnets in CIDR 172.31.16.0/20 and 172.31.0.0/16 for two availability zone A and B.
In route table of the subnet, i have
172.26.0.0/16 as destination and target to vpc peering which further has
Requester VPC CIDRs 172.26.0.0/16
Accepter VPC CIDRs 172.31.0.0/16
My lightsail instance has private IP 172.26.15.xxx and in lon-Zone-A
When i ping my mysql intance, i get ip 172.31.10.9
command using to connect mysql -h xxxxxx.xxxxx.eu-west-2.rds.amazonaws.com -P 3306 -u db_master_username -p
To enable access from AWS Lightsail to AWS RDS you can accomplish in two separate ways:
Method 1.
Make RDS publicly accessible.
In RDS pick you instance and click 'Modify'. In section 'Network & Security' choose 'Publicly accessible' to Yes. Apply settings and wait until they are effective. Your RDS has public IP now.
Add your Lightsail public IP to the RDS security group inbound traffic.
Use CIDR: x.x.x.x/32 where x.x.x.x is your Lightsail instance public IP.
Method 2. (better, RDS with no public IP)
Make sure you Lightsail instance is in the same Availability Zone as RDS.
Set up VPC peering beetween Lightsail VPC and Amazon VPC.
Add your Lightsail local IP to the RDS security group inbound traffic.
I managed to solve. it.
I had to add my lightsail instance IP CIDR in the RDS inbound rule as mysql/aurora TCP allowed traffic.
:-)
As the title suggests, I'm struggling to connect to my elasticache instance via my EC2 instance. I have a orm to connect to redis in my EC2 instance that was just failing on my logs, so I sshed into my EC2 instance to try to manually connect to the redis instance and got a timeout:
Could not connect to Redis at <redis uri>: Connection timed out
They're in different VPC's (the elasticache instance and the EC2 instance), but in my elasticache instance's security group, I have a custom TCP inbound rule at port 6379 from any source.
Halp.
You setup the security rule, but did you setup the VPC peering properly:
A VPC peering connection is a networking connection between two VPCs
that enables you to route traffic between them using private IP
addresses. Instances in either VPC can communicate with each other as
if they are within the same network. You can create a VPC peering
connection between your own VPCs, or with a VPC in another AWS account
within a single region.
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html
After you create VPC Peer connection, you also need to modify routing table.
Keep in mind that you need to modify BOTH of the routing tables.
Also you need to add CIDR of the local VPC.
It can be confusing which is "local" VPC and which is "target".
In my case, the local VPC contained EC2 instances that needed Redis database in other VPC. After creating peer connection in this format, I needed to do two things:
edit routing table for both local and target VPC.
edit security group of Redis database to accept connections from local VPC.
If set accordingly, you should be able to connect from EC2 instance at local VPC to Redis database in target VPC.
Here is documentation from AWS that is relatively easy to follow:
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-pg.pdf
Your scenario can be found on page 16.
I have a corporate setup that primarily has 2 peered VPCs at the moment. We want to provision Elasticache (for Redis) so that 2 EC2 IIS Web Servers (one in each of the two VPCs) can connect to the same Elasticache cluster, is this possible?
Currently I can successfully connect to the cluster from the EC2 instance that is in the same VPC that the Elasticache cluster was provisioned in, but the other EC2 instance in the peered VPC cannot connect.
I tried allowing all access through security groups, turned off firewalls, etc... but nothing works.
Any help you can provide would be greatly appreciated.
We encountered the same issue and it turned out that route table configuration was not properly set in our case.
Route table for elasticache subnet need to have a config below.
Destination -> IP address range for client EC2 instance subnet
Target -> peering connection ('pcx-xxxxx')