I have my MongoDB deployed in an EC2 instance, nice and steady. I will (hopefully) have my Elastic Beanstalk load-balanced Web App launched soon using Docker. However, I feel like my Database is too sensitive to dockerize or beastalk-ize, so I wanna keep it in a plain EC2 instance.
My issue is with regard to the security groups. How can I create a security group that will only accept MongoDB traffic (port 27017) from the Elastic Beanstalk? Since EC2 instances will get created and destroyed arbitrarily, maybe I can get the least-common subnet of those?
When you create your Elastic Beanstalk application, you will choose a security group to assign to it's EC2 instances.
For your MongoDB security group, allow traffic on port 27017 for the EB EC2's security group. If done this way, then only EC2 instances using that security group can access the MongoDB instance.
Note, when accessing your MongoDB instance from your EB app's EC2 instance, makes sure you use the private IP address of the MongoDB instance, and not the public IP address. If you use the public IP address, then AWS doesn't recognize the connection as originating from the EB security group and will deny the connection.
Related
I have 3 AWS Elastic Beanstalk instances which are running Spring microservices. All microservices are making POST requests to each other and using RDS service for database.
Should I isolate database traffic and microservices traffic into separate subnets?
In case it's a good practice is it possible to assign 2 private network IP's for each subnet for every AWS Elastic Beanstalk instance?
I think you cannot do it using EBS as the instances will auto create and terminate. So you should try to create instances separately and add autoscaling policy on it.
What I usually do is create my EC2 instances in Public subnet and RDS in private subnet and use RDS Security Group and add EC2 instance's Elastic IP, so that all the traffic is going through the EC2 instance and all the traffic coming to EC2 instance is HTTPS coming from ELB.
Adding the below steps as requested:
Ok, So I am assuming you already know a bit about how to create the servers and RDS etc.
Create an EC2 instance for each of your microservices.
Attach an EIP to each of these instances.
Add an Auto-Scaling policy to increase or decrease the instances based on the traffic/CPU Utilization. Make sure you terminate the newest created instance.
Add an ELB for this instance and add HTTPS/SSL certificate to secure your traffic.
Create RDS in a Private subnet and add instance EIP in RDS SG for 3306 port.
I think you should be able to do this then.
It's not a good practice to directly communicate between instances in EB. The reason is that that EB instances run in autoscalling group. So they can be terminated and replaced at any time by AWS leading to change in their private Ip addresses.
The change in IP will break your application sooner or later. Instances in EB should be accessed using Load Balancer or private IP.
So if you have some instances that are meant for private access only you could separate them to internal EB environment.
I have set an Amazon EC2 instance and an Amazon RDS instance. These two instances are both available.
I tried to connect to the RDS instance from my localhost, and I succeeded:
(I'm sorry about the picture's content is in Chinese, but the content in the red border means "success".)
In a word, when I used my localhost, I can connect to the RDS instance that I just set successfully.
But when I tried to use the EC2 instance to connect the same RDS instance with oracle sqldeveloper, I CANNOT EVEN CONNECT TO IT.
The error message is:
The Network Adapter could not establish the connection
How can I solve this issue?
Update:
My Security Group is:
The security groups match the AWS EC2 instance`s PRIVATE IP.
This answer is not necessarily a fix for your situation, but rather a recommendation about how to configure a security group.
Rather than using IP addresses within a security group, it is better to refer to another security group.
The configuration would be:
EC2-SG security group: Attach this to your EC2 instance. Allow access on desired ports (eg port 80).
RDS-SG security group: Attach this to your RDS instance. Allow access from EC2-SG- on desired port (eg port 3306).
This way, the RDS-SG will permit access from any EC2 instance associated with the EC2-SG security group. This will continue to work even if IP addresses change or additional EC2 instances are launched with the same EC2-SG.
I have an elastic beanstalk application connected to RDS, and at random times it terminates the current instance, creates a new instance and that makes it lose connection to the database. How can I solve this issue?
For the security group attached to the RDS server, in the "Source" field, instead of specifying the IP address of the current Elastic Beanstalk server which is subject to change, specify the security group ID that Elastic Beanstalk is assigning to the servers it creates.
This way any EC2 server created by Elastic Beanstalk will be granted access to the RDS instance because the EC2 server will belong to a security group that has been granted access by the RDS security group.
I have a web application launched using ElasticBeanstalk (EB) with load balancer, which instances may be added/removed based on the trigger.
Now I have a Redis server hosted on EC2 with port 6379 that I only want this very EB instances (all the instances launched by this EB) have access to that port.
EB has a security group (SG) called sg-eb and Redis has a SG called sg-redis.
All these are deployed under same VPC but may or may not be the same subnet.
How to I configure sg-redis so that all the instances under the EB have access to redis? I tried adding sg-eb to sg-redis allowing port 6379 but no luck. The only way I made it work was adding each instance's public IP to sg-redis so they have access. Though, if the load balancer adds/removes an instance, I'll need to manually configure sg-redis again.
Update #1
The Redis EC2 instance will have 2 IPs, one public and one private. You can find them when selecting the instance on the EC2 management console. Make sure you connect to that EC2 instance via this internal IP.
I have an application hosted on Amazon AWS with backend database. Web application is controlled by Elastic Load Balancer with Autoscaling. MySQL databse is on the other instance within the same zone. The problem is that connection could be established only if I add rule in MySQL security group to connect on 3306 from 0.0.0.0. or if I add individual IP address of each instance. However, if I assign "Autoscale security group" or "Load Balancer security group" it doesn't work. Isn't that supposed to work if I assign security group where instances belongs to the MySQL security group?
Thanks,
I've finally solved the issue with the help of Amazon technical support for developers. It turned out that back-end instance is only accessible through the Amazon private IP address. I was always trying to access it through it's public IP address.
AWS allows ingress between two security groups only if they are configured in the same region. For your spcific case, modify the security group settings for the Mysql server allowing in-bound 3306 port traffic from AccountId/OtherSecurityGroup e.g 111122223333/OtherSecurityGroup