I have an elastic beanstalk application connected to RDS, and at random times it terminates the current instance, creates a new instance and that makes it lose connection to the database. How can I solve this issue?
For the security group attached to the RDS server, in the "Source" field, instead of specifying the IP address of the current Elastic Beanstalk server which is subject to change, specify the security group ID that Elastic Beanstalk is assigning to the servers it creates.
This way any EC2 server created by Elastic Beanstalk will be granted access to the RDS instance because the EC2 server will belong to a security group that has been granted access by the RDS security group.
Related
I have a application on elastic beanstalk single instance ( we have not used loadblancer ). And we also have our newly created RDS ( rds created separately, not with elastic beanstalk ). Both are in same VPC but different security group.
Now as per this tutorial from aws - check here. I have added elastic beanstalks security group to rds's group as inbound rule. Now the documentation asks to do the same on elastic beanstalk. But the problem is that, if i apply the configuration changes then it cause to terminate the instance and recreate the instance.
Am not bothering about recreating, but the problem is that it deletes all installed repos and configuration ( certbot, and other repos ). Its not good we believe.
So is there any way to connect this without adding RDS security group to elastic beanstalk security group without terminating and recreating the instance ?
Should i edit elastic beanstalks security group and add Postgres inbound rule - like i did with rds ? Please advice.
I have a RDS databse with status as Running however it is now showing in my EC2 Security Groups. The only instances showing are:
default VPC security group
Securtiy Group for Elastic Beanstalk
Elastic Beanstalk created security group
Why is the RDS database not showing in the EC2 Security Groups?
RDS settings:
enter image description here
The typical security setup would be:
A Security Group on the Amazon EC2 instances created by Elastic Beanstalk (App-SG) with adequate inbound rules for users to access the app (or perhaps from a Load Balancer -- I'll assume you have that configured correctly)
A Security Group on the Amazon RDS database (DB-SG) with an inbound rule that permits access from App-SG on the database port
That is, DB-SG should specifically reference the App-SG in its inbound rules. This will give permission for any of the EC2 instances to connect to the database.
Feel free to create new Security Groups with appropriate names and rules, then associate those Security Groups with the EC2 instances (via Elastic Beanstalk) and the database. You do not need to keep using the Default security group.
I have 3 AWS Elastic Beanstalk instances which are running Spring microservices. All microservices are making POST requests to each other and using RDS service for database.
Should I isolate database traffic and microservices traffic into separate subnets?
In case it's a good practice is it possible to assign 2 private network IP's for each subnet for every AWS Elastic Beanstalk instance?
I think you cannot do it using EBS as the instances will auto create and terminate. So you should try to create instances separately and add autoscaling policy on it.
What I usually do is create my EC2 instances in Public subnet and RDS in private subnet and use RDS Security Group and add EC2 instance's Elastic IP, so that all the traffic is going through the EC2 instance and all the traffic coming to EC2 instance is HTTPS coming from ELB.
Adding the below steps as requested:
Ok, So I am assuming you already know a bit about how to create the servers and RDS etc.
Create an EC2 instance for each of your microservices.
Attach an EIP to each of these instances.
Add an Auto-Scaling policy to increase or decrease the instances based on the traffic/CPU Utilization. Make sure you terminate the newest created instance.
Add an ELB for this instance and add HTTPS/SSL certificate to secure your traffic.
Create RDS in a Private subnet and add instance EIP in RDS SG for 3306 port.
I think you should be able to do this then.
It's not a good practice to directly communicate between instances in EB. The reason is that that EB instances run in autoscalling group. So they can be terminated and replaced at any time by AWS leading to change in their private Ip addresses.
The change in IP will break your application sooner or later. Instances in EB should be accessed using Load Balancer or private IP.
So if you have some instances that are meant for private access only you could separate them to internal EB environment.
I'm new and trying to explore AWS and creating a test app running on IIS (EC2 set in Public) and MSSQL RDS(set in Private). However my IIS is not able to connect on the RDS. Looking on my IIS EC2 it has a defined private IP too, same subnet used also from RDS, security group of RDS allows the subnet of the EC2, IAM of EC2 also has RDS Full access.
But still my ec2 wont connect on the RDS. May I ask on what I'm missing on my settings?
It appears that your configuration is:
One VPC
A Public Subnet containing an Amazon EC2 instance
A Private Subnet containing an Amazon RDS for SQL Server instance
You are attempting to connect from the EC2 instance to the RDS db instance
For this to work, you should configure:
A Security Group (let's call it EC2-SG) that is associated with the EC2 instance, permitting connections such that you can login to the EC2 instance
A Security Group (RDS-SG) associated with the RDS db instance, with an incoming connection configured for SQL Server (port 1433) with source set to EC2-SG
That is, the database security group should ALLOW an incoming connection with a source of the security group that is associated to the EC2 instance. The VPC will automatically figure out the IP addresses — you do not need to specify them.
Then, connect from the EC2 instance to the RDS db instance via the DNS Name of the RDS instance that is given in the RDS console.
I have my MongoDB deployed in an EC2 instance, nice and steady. I will (hopefully) have my Elastic Beanstalk load-balanced Web App launched soon using Docker. However, I feel like my Database is too sensitive to dockerize or beastalk-ize, so I wanna keep it in a plain EC2 instance.
My issue is with regard to the security groups. How can I create a security group that will only accept MongoDB traffic (port 27017) from the Elastic Beanstalk? Since EC2 instances will get created and destroyed arbitrarily, maybe I can get the least-common subnet of those?
When you create your Elastic Beanstalk application, you will choose a security group to assign to it's EC2 instances.
For your MongoDB security group, allow traffic on port 27017 for the EB EC2's security group. If done this way, then only EC2 instances using that security group can access the MongoDB instance.
Note, when accessing your MongoDB instance from your EB app's EC2 instance, makes sure you use the private IP address of the MongoDB instance, and not the public IP address. If you use the public IP address, then AWS doesn't recognize the connection as originating from the EB security group and will deny the connection.