You can add an RDS instance to an Elastic Beanstalk environment, but there is no option when you do this to have the RDS instance be encrypted. You can modify the RDS instance after it's launched, but you can't modify whether or not it's encrypted.
The amazon docs discuss creating an independent RDS instance and modifying security groups but this seems antithetical to Elastic Beanstalk.
Is there a way to get an encrypted RDS instance that is attached to an Elastic Beanstalk environment?
I do not recommend to create RDS instances from EB configuration panel. For most of the cases that may happen on your setup, it may won't be an issue, but when it comes to serious production setup, it may become a serious problem. RDS instances created from EB config panel are kind of merged to EB environment they were created in. It means that every time you delete your environment, system forces you to remove RDS instance as well. And that's not the way you want it to be, as environment should be the part you're not afraid to delete at any time.
Let's say you want to update your Multicontainer Docker setup, because there's an update going on. You would just clone current environment, then switch url and you're done. With RDS instances created as described above, you simply can't.
My advise is to create separate RDS instance, then add specific security group for this instance, and finally, add this security group in Configuration -> Instances -> EC2 security groups for EB environment, so it have access there. With that you can create encrypted instance of database and you can easily switch environment with no risk your database will be thrown away.
And if you're ok with standard environment variables for RDS, like RDS_DB_NAME etc. you can add the same in Configuration -> Software Configuration -> Environment Properties. That's how we do this for each production and serious server we're taking care of at work.
Yes. There is currently the following workaround:
Create a new encrypted RDS instance
Take a snapshot of this instance
Add an RDS instance to your Elastic Beanstalk environment based on this snapshot. The snapshot is encrypted, and thus the database created based on it is encrypted as well
Related
I have received an email from AWS that states
We have important news about your account (AWS Account ID: XXXXX). EC2
has detected degradation of the underlying hardware hosting your
Amazon EC2 instance (instance-ID: i-XXXX) in the eu-west-1 region. Due
to this degradation, your instance could already be unreachable. After
2017-05-25 10:00 UTC your instance, which has an EBS volume as the
root device, will be stopped.
I'm actually using Elastic Beanstalk with a load balancer with an elastic IP address on what is currently the only instance running (manually associated). In addition I have a reverse DNS for email purposes.
The email continues to say the following...
You may still be able to access the instance. We recommend that you
replace the instance by creating an AMI of your instance and launch a
new instance from the AMI. For more information please see Amazon
Machine Images
(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) in the
EC2 User Guide. In case of difficulties stopping your EBS-backed
instance, please see the Instance FAQ
(http://aws.amazon.com/instance-help/#ebs-stuck-stopping).
So how do I get Elastic Beanstalk to re-provision to new hardware?
Some options seem to be...
rebuild environment
save configuration -> terminate -> load configuration
clone environment -> manually change DNS -> Terminate old environment
'Terminate'environment -> 'Restore terminated environment'?
I'm not sure which variant would restore the environment, in particular it would be ideal if I don't loose the hostname / reverse DNS stuff that was done for email (SNS?) configuration.
It would be nice if I kept all of this (I don't care about the EC2 instance or data - the data is held in MongoDb external to all of this) ...
EC2 configuration (i.e. hardware box size, VM parameters etc)
Security Groups
Load balancer
Elastic IP associated to EC2 (easy enough to do manually after)
Hostname (whatever is required for the reverse DNS)
Thoughts would be appreciated! - It's a shame their email / documentation only discusses EC2 and not beanstalk configurations.
Just terminate the instance and let Elastic Beanstalk automatically spin up a new one. Any changes you are making to your EC2 instances in your beanstalk environment should be done through .ebextensions configuration files (you aren't making changes directly over ssh, right?) so you don't need to worry about "saving" your EC2 setup via creating an AMI.
As for all the items you listed that you need to save, those are all part of the EB environment configuration, not part of the EC2 instance that is being retired.
A load balanced Elastic Beanstalk environment is configured to terminate and create new EC2 instances as needed. There's no need to completely rebuild/replace your entire EB environment just because you need to replace one of the EC2 instances.
I used Elastic Beanstalk to upload an application whilst studying, it was part of a group project. However the account got suspended when the billing details were incorrect, this discontinued the application services.
After resolving the account with Amazon the Elastic Beanstalk environment was up and running apart from the RDS instance. I then restored the most recent RDS backup but I can no longer access the MYSQL database with the previous details (Host, DBName and Password) and the application no longer works because the details to connect to the DB are wrong.
I then found out I cannot use a snapshot RDS instance with an existing EB environment, so I am doing the following steps:
Restore the database to a new RDS instance.
Make a manual backup of this new RDS instance. Create a new Beanstalk environment using your manual RDS backup.
Test to make sure everything is working as expected.
Update URLs or DNS to make sure traffic is routed to your
new environment
However I do not know how to do step two, can anybody help me on how to create a new EB environment using an RDS Instance Snapshot ?
(So I can access the DB)
This are the steps involved in creation of AWS Beanstalk.
In this step select the "create RDS" check box.
When you go to the RDS Configuration step select the snapshot of your database in the drop down and then proceed till the end.
When you set up a new Elastic Beanstalk cluster you can access your EC2 instance by doing this:
eb ssh
However, it's not clear how to access the RDS instance.
How do you access an RDS in an Elastic Beanstalk context in order to perform CRUD operations?
The RDS command-line can be accessed from anywhere, by adjusting the RDS security group.
Check your AWS VPC configuration.
The security-group will need to be
adjusted to allow you to connect from a new source/port.
Find the security Group-id for the RDS.
Find that group in AWS Console > VPC > secuirty groups
Adjust the Inbound and Outbound Rules accordingly.
You need to allow access to/from the IP or security group that needs to connect to the RDS.
FROM: https://stackoverflow.com/a/37200075/1589379
After that, all that remains is configuring whatever local DB tool you would like to use to operate on the database.
EDIT:
Of additional note, if the ElasticBeanstalk Environment is configured to use RDS, the EC2 Instances will have environment variables set with the information needed to connect to the RDS.
This means that you can import those variables into any code that needs access.
Custom environment variables may also be set in Elastic Beanstalk Environment Configuration, and these too may be included this way.
PHP
define('RDS_HOSTNAME', getenv('RDS_HOSTNAME'));
$db = new rds(RDS_HOSTNAME);
Linux CommandLine
mysql --host=$RDS_HOSTNAME --port=$RDS_PORT -u $RDS_USERNAME -p$RDS_PASSWORD
RDS is a managed database service, which means it is that you can only access it through database calls.
If it is a MySQL database you can access through your EC2 instance through mysql like this:
mysql -u user -p password -h rds.instance.endpoint.region.rds.amazonaws.com
or set it up to work with your app with settings needed for that.
Make sure that you set up security groups correctly so that your EC2/other service has access to your RDS instance.
Update:
If you want what you are asking for then you should use an EC2 instance with a mysql server on. It would cost the same (even though a fraction of performance is lost in comparison). An EC2 instance you can turn off when you are not using as well.
How do you remove an RDS database from an Elastic Beanstalk environment?
There doesn't appear to be an option to do this. I understand I can create an EB environment and have it create an RDS server with it, which we did. Now we just want to get raid of the RDS server by itself but leave the app servers running. I don't see how we're suppose to do this unless I just delete it from the RDS GUI, but I'd think the proper way to do it is remove it from the EB environment.
According to this answer on Amazon aws forums:
There is currently no way to remove RDS from an Elastic Beanstalk
configuration. You would need to create a new Elastic Beanstalk
application configuration that excludes the RDS configuration, launch
your app in this new environment, and then change DNS to point to the
new environment.
https://forums.aws.amazon.com/message.jspa?messageID=469364
It's 2019 and still not possible to remove an RDS database from an Elastic Beanstalk environment. I wish I had known this earlier.
Anyway ... here are the general steps necessary to create a new environment without a managed RDS DB (based on the same thread from the AWS forum):
Create a snapshot of your RDS DB and create a new RDS DB from it. This does not retain the security group, parameter group, or options of your DB. So it might be preferable to create a new empty RDS DB where you can configure everything and then restore the contents from a DB dump like mysqldump.
Save a configuration of your Elastic Beanstalk env and download it from your S3 EBS bucket under resources/templates/<your-app-name>/.
Modify the config to remove all references to RDS, and upload the modified file to your S3 bucket.
Create a new environment from the saved configuration. You should now have an env without a managed RDS DB. Some settings might not be carried over in this process. For example, I had to reconfigure the load balancer for my new env.
Once everything is working in the new env you can use "Swap Environment URLs" or point your DNS record to the new load balancer.
Now you can decouple the database from your environment.
Then it will follow the data retention policy you have set for it.
https://aws.amazon.com/premiumsupport/knowledge-center/decouple-rds-from-beanstalk/
When creating an application in Amazon Elastic Beanstalk, you have the option of creating a new Amazon RDS database instance. Is it possible to associate an existing RDS database instance with an Elastic Beanstalk application?
If you want to share an RDS instance between multiple applications, the best thing to do is set that up independent of your beanstalk application.
Set up privs for each application and configure each application to use the RDS instance.
You will probably have to manually configure your application security group to access the database instance.
I was facing same issue and fixed using following steps :
1) Go to EC2 instance and note your security group example "sg-121212121212"
2) Go to RDS Security Group ad=nd inbound traffic
3) Edit rule select all traffic and add your new ebs security group "sg-121212121212"
Hope it will helpful
A single database can only be used with one Elastic Beanstalk environment. Although, it can be moved between environments.
Also important to remember that a clone operation doesn't clone the database.