I'm trying to connect to my aurora serverless but every time I try to do it I receive this error:
2021/03/18 17:10:00 error verifying database connection is alive: dial tcp 10.247.15.113:3306: connect: operation timed out exit status 1
I created a VPC, subnets and security groups.
VPC -> 10.247.0.0/20
4 Subnets -> 10.247.0.0/22, 10.247.8.0/22, 10.247.4.0/22 and 10.247.12.0/22
Security group -> Lives inside my VPC and as inbound has port SSH 22 for 0.0.0.0/0 and MYSQL/Aurora 3306 for my EC2 instance IP address. Outbound has all traffic
Using ssh in a database client works but inside my code I receive the error I mentioned, I also tried doing telnet and I receive another operation timed out.
I know this may be something related to the networking but not sure why since I can connect via ssh with an EC2 instance. What can it be?
Your guide is for RDS. It does not apply to Aurora Serverless (AS). Specifically AS can't be accessed from internet. So you can't connect to it directly from home:
You can't give an Aurora Serverless v1 DB cluster a public IP address. You can access an Aurora Serverless v1 DB cluster only from within a VPC.
You have to connect to it from within a VPC, e.g. EC2 instance, ECS container or a lambda function.
The only way to connect to it from home is to use RDS DataAPI, or setup ssh tunnel or VPN between your home network and your VPC.
Related
I want to test if my ec2 instance can connect to my database.
I ssh into my instance ran the command:
echo '\dS' |psql -h rds-endpoint-xxx.amazonaws.com 5432
the result I get is this:
psql: error: could not connect to server: Operation timed out
Is the server running on host "rds-endpoint-xxx.amazonaws.com" (192.168.12.233) and accepting
TCP/IP connections on port 5432?
What does this mean? and what should i do to fix?
My ec2 instance IP is 192.168.0.138 and in the security group of my rds database I have allowed inbound access from 192.168.0.0
Unless your two VPC are peered, you will not be able to access your RDS from the instance due to your security group (SG). Without peering, the connection from the instance to the rds will go over internet, and your SG does not allow internet connections.
To solve this, you either have to peer your VPCs, which you can't do right now as they have same CIDRs. For peering you need non-overlapping CIDRs for the VPC.
Alternative is to allow internet connections to your RDS, which means you need to allow incoming traffic (0.0.0.0/0) unless you have EIP for the instance. Also RDS must be set to be allow public connections.
I have set up a documentdb cluster in us-east-1. I am attempting to connect via an EC2 instance in us-west-1. I have set up connection peering with the VPC in us-west-1 having a CIDR of 172.31.0.0/16 and the VPC in us-east-1 having a CIDR of 172.32.0.0/16. Connection peering is established and active. When I attempt to
connect to the documentdb from mongo shell from the EC2 instance, I get the exception:
connecting to: mongodb://cluster-name.cluster-uniquecode.us-east-1.docdb.amazonaws.com:27017/?gssapiServiceName=mongodb
2020-07-15T00:50:16.004+0000 W NETWORK https://forums.aws.amazon.com/ Failed to connect to 172.32.83.229:27017 after 5000ms milliseconds, giving up.
2020-07-15T00:50:16.004+0000 E QUERY https://forums.aws.amazon.com/ Error: couldn't connect to server cluster-name.cluster-uniquecode.us-east-1.docdb.amazonaws.com:27017, connection attempt failed :
connect#src/mongo/shell/mongo.js:263:13
#(connect):1:6
exception: connect failed
The security group attached to the us-east-1 VPC is set to allow all IP addresses and all ports, so that doesn't seem to be the issue.
So.... why the the failure to connect? Anything I missed?
VPC peering does not implictly handle reverse-path routes for return traffic, so tou need to add routes to both VPCs.
You need routes in the tables of VPC A sending b.b.b.b/x over the peering connection and you need routes in VPC B to send a.a.a.a/y traffic over the peering connection, regardless of which end originates the traffic.
The owner of the peer VPC must also complete these steps to add a route to direct traffic back to your VPC through the VPC peering connection.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html
I would take a look to the route tables in VPC for us-west-1. Make sure there is a record that sends 172.32.0.0/16 through the vpc peering.
I am trying set up eks with rds mysql. I used eksctl to setup the eks cluster and I did not change any default network configuration. eks and rds are using the same vpc.
This is the result in a debugging pod
telnet xx.rds.amazonaws.com 3306
Connected to xx.us-west-2.rds.amazonaws.com
J
8.0.16\#t'Ti1??]Gp^;&Aomysql_native_passwordConnection closed by foreign host
/ # nslookup xxx.us-west-2.rds.amazonaws.com
Server: 10.100.0.10
Address: 10.100.0.10:53
Non-authoritative answer:
xxx.us-west-2.rds.amazonaws.com canonical name = ec2-xx.us-west-2.compute.amazonaws.com
Name: ec2-xx.us-west-2.compute.amazonaws.com
Address: 192.168.98.108
nc -vz 192.168.98.108 3306
192.168.98.108 (192.168.98.108:3306) open
I used service mesh Istio I created a mysql client pod in a sidecar not enabled namespace I get an error message like following
Mysql client pod
ERROR 2002 (HY000) Can't connect to MySQL sever on xxxxx.us-west-2.rds.amazonaws.com.
I am new to vpc. rds and vpc are using the same vpc. they are connected within the private network?
If it says connection refused in my grpc server log, eks grpc server try to connect 192.168.98.108 and that is the private ip of the ads Do I need other configuration in vpc?. Any ideas? cheers
I did had the same scenario (RDS in the same VPC as the EKS cluster). What I did is as following:
I've created a Cloudformation template with which I created my custom VPC, 8 subnetes(3 public, 3 private for EKS cluster and 2 private networks for RDS database), internet gateway, NAT Gateway, route tables and routes.
Using eksctl with cluster configuration yaml I created the cluster and the node group. The node group joined my cluster.
Using aws cli, I've created the db-subnet-group (containing the 2 private DB subnet) and I also started and RDS instance. Then I've set up some security group to allow traffic to DB just from the 3 private subnets)
As reference to create my custom cloudformation template I used the template created by eksctl when running the create command with the flag --node-private-networking.
I have a AWS RDS instance (PSQL), which is public accessible. For testing I attached a Security group that has on port 5432 all access 0.0.0.0/0. My VPC has a Internet Gateway attached and has the following
192.168.0.0/16 local
0.0.0.0/0 igw-0f41c33417cbccb8c
If I try to connect to the instance I get a network timeout and it seems my request is blocked.
But I dont find anything else that should block the connection
If it helps the VPC and the subnets are default and created for eksctl the major adaption I made was attaching a Internet Gateway
From inside the VPC I can access the RDS instance from outside (eg my local machine I can't)
As the title suggests, I'm struggling to connect to my elasticache instance via my EC2 instance. I have a orm to connect to redis in my EC2 instance that was just failing on my logs, so I sshed into my EC2 instance to try to manually connect to the redis instance and got a timeout:
Could not connect to Redis at <redis uri>: Connection timed out
They're in different VPC's (the elasticache instance and the EC2 instance), but in my elasticache instance's security group, I have a custom TCP inbound rule at port 6379 from any source.
Halp.
You setup the security rule, but did you setup the VPC peering properly:
A VPC peering connection is a networking connection between two VPCs
that enables you to route traffic between them using private IP
addresses. Instances in either VPC can communicate with each other as
if they are within the same network. You can create a VPC peering
connection between your own VPCs, or with a VPC in another AWS account
within a single region.
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html
After you create VPC Peer connection, you also need to modify routing table.
Keep in mind that you need to modify BOTH of the routing tables.
Also you need to add CIDR of the local VPC.
It can be confusing which is "local" VPC and which is "target".
In my case, the local VPC contained EC2 instances that needed Redis database in other VPC. After creating peer connection in this format, I needed to do two things:
edit routing table for both local and target VPC.
edit security group of Redis database to accept connections from local VPC.
If set accordingly, you should be able to connect from EC2 instance at local VPC to Redis database in target VPC.
Here is documentation from AWS that is relatively easy to follow:
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-pg.pdf
Your scenario can be found on page 16.