I was trying to configure my EB to talk to an external RDS instance. Found an AWS document but found it's way too complicated, and many descriptions don't match what I have on the AWS configuration pages. Since I have configured to access RDS from ec2 and from my local machine before, I know I just need to find the security group of my EB instance and add it to RDS security group's Inbound access rules. However, while I searched hard I cannot find where the EB instance security group is. The closest thing I can find is a dash connected 6-part long string in the Instance Configuration page in the EB environment dashboard. But copying this long string RDS access rule is rejected as non-valid.
Eventually I found the security group of the EB which I can add into RDS access rules. It's not straightforward, but it's indeed related to the security group on the Instance Configuration page of the EB environment. First on EB environment page, tap the Configuration button, and tap the gear button on the Instance Configuration panel
Once on the Instance configuration detail page, find the EC2 security groups entry, copy part of the string, like the erased part in this picture
Then open another window and go to the RDS instance dashboard, tap on the Configuration Detail, find the Security Group and tap into it. On the bottom of the Security Group configuration page, Edit the rules and add a new Inbound rule, paste the copied partial EB security group into it, the browser will automatically prompt the correct security group in the sg-xxxx format. Select it and configure the Type as either All Traffic or of your particular DB type, and Voila, your EB instance can now talk to the RDS.
Related
I am using EC2 with Elastic Beanstalk to deploy a Spring Boot application. This deployment connects to an RDS MySQL instance and an assigned default security group allows the communication.
For a 3rd time, I have found the security group has been dropped from the EC2s list of groups, resulting in degraded Spring Boot, in which Boot is stuck in a startup loop (I am not sure why brought it down)
A separate Boot/EBS deployment uses this same group for RDS connectivity, and has never experienced this.
Has anyone else experienced this? Logs reveal nothing other than connection timeout to RDS.
To troubleshoot this issue, you can use AWS CloudTrail. Using AWS CloudTrail, you can trace who is detaching security group from the related AWS EC2 Instance. This kind of event is logged as ModifyNetworkInterfaceAttribute with event source as ec2.amazonaws.com.
Here you can find AWS CloudTrail user guide.
Note:Typically, CloudTrail delivers an event within 15 minutes of the API call/event.
I believe your problem is you are attaching the security groups to the instance using EC2 console instead of using EB environment's configuration.
Go to EB console, chose your environment, click on configuration.
Click Edit on the Instances section, add security groups from this location. Doing so will ensure that all your security groups are applied when EB is creating instances as an example when it scale-out.
This might be a duplicate of this post, but I wanted a separate question for my specific situation. Because none of the found answers on Stackoverflow have helped me so far.
I created an Elastic Beanstalk instance a while ago, complete with RDS instance, by following along with the Setup Wizard. But when I now try to upload new code to it I get the following error:
Environment update is starting.
Environment health has transitioned from Ok to Info. Application
update in progress (running for 2 seconds).
Service:AmazonCloudFormation, Message:Stack named
'awseb-e-gmz62hycax-stack' aborted operation. Current state:
'UPDATE_ROLLBACK_IN_PROGRESS' Reason: null
Updating RDS database named: xxxxxxxxxxxxxx failed Reason: DB Security
Groups can no longer be associated with this DB Instance. Use VPC
Security Groups instead.
In the Configuration section of the Elastic Beanstalk, under Security or Database I can't find any setting for DB Security Groups.
If I go to the RDS instance that this Elastic Beanstalk is using, under the Security group rules I see two Security Group - Inbound rules.
One with a name like:
awseb-e-abcde12345-stack-AWSEBSecurityGroup-123456ABCDE (sg-1234abcd)
And the other with a name like:
rds-awseb-e-abcde12345-stack-awsebrdsdbsecuritygroup-1234567abcdef-abcd (sg-4321dcba)
And the rest is all: CIDR/IP - Inbound.
Am I to remove/replace these Security Group - Inbound rules with VPC rules? Do I need to completely build a new Elastic Beanstalk, with other rules? And especially how to do this.
Also, all the security groups associated with this elastic beanstalk and RDS appear in the Security Groups section of the VPC Dashboard: https://eu-west-1.console.aws.amazon.com/vpc/home?region=eu-west-1#securityGroups:.
I am at a loss here. It feels like this should be very straightforward, since I created this with the Setup Wizard from AWS, but I can't figure it out. Anyone with some idea, please comment or answer, thanks!
The error clearly says, DB Security Groups can no longer be associated with this DB Instance.
Earlier in RDS, they were using a separate security group called DB Security group. Now everything moved to VPC security group. If you are using older AWS account, still you can see the DB security groups, but its not working now. So use VPC security group instead.
Best practice:
Launching RDS via Elastic Beanstalk or Cloudformation is not a good practice (particularly for production), because when you delete the CF template it'll remove all of your resources including the DB. And Beanstalk also will do the same on the new deployment.
I have an RDS database running (postgres) that I'm now trying to connect to an Elastic Beanstalk application. The connection times out.
I am guessing this has something to do with the VPC and security groups, but AWS continues to confuse me here and I'm kind of new to this. I'm trying follow this guide: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html?icmpid=docs_elasticbeanstalk_console
When I try to add the rds_launch_wizard security group to the EB instance, it tells me that the security group is not found. rds_launch_wizard is in a VPC, whereas the EB application is not.
I have tried going into the EB configuration, choosing Instance and trying to add a security group:
By name, this pops up an error saying that "I cannot add groups by name".
By group ID, this tells me group sg-xxxxx not found.
Similarly, I can't add the EB security group to RDS, as this is also not found
How do I get the two talking to each other?
You have two options:
Move the EB environment into the VPC
Enable ClassicLink so that your EC2 Classic instances inside your EB environment can talk to the VPC.
ClassicLink is the obvious quick fix, but I think you will eventually want to move everything into a VPC. The VPC is more secure and there are quite a few features and services now on AWS that require a VPC.
I am trying to terminate an Elastic Beanstalk environment but it fails due to:
Deleting security group named: awseb-e-gpxusz64rm-stack-AWSEBSecurityGroup-1QZI37JXP423J failed Reason: resource sg-d25608b7 has a dependent object
Is there a way to force the environment to terminate?
The Security Group will not be deleted as long as it's in use, most typically that means active instances in the group. Elastic Beanstalk will remove it's own instances, and usually this works smoothly. Sometimes you have to manually help it a bit.
It is also possible that there are instances or other resources not managed by Elastic Beanstalk that have been launched into the Security Group. Take a look in the EC2 Instances section of the AWS Management Console to see what is attached to that security group. The quick way is to paste the Security Group name, awseb-e-gpxusz64rm-stack-AWSEBSecurityGroup-1QZI37JXP423J into the filter search and let AWS give you the list.
An RDS database instance might also be the problem.
One thing that helps me manage Elastic Beanstalk stuff is to add a column to the console UI for the EB environment name. Click the "Show/Hide Columns" button (gear icon) in the top right, and look for tag keys like elasticbeanstalk:environment-name that can help you zero in on the right EB artifacts. This works for both instances and security groups.
I've successfully launched an Amazon RDS instance (non VPC!) in the Ireland region. Now I need to set the Security Group settings, but these are not present in my console when selecting Ireland. When selecting Virginia the "Security Groups" item shows up in the left menu, but not when selecting Ireland. After digging through Google for hours it seems I need to setup the Security Groups through Amazon EC2. This seems weird to me because I don't need EC2, my app will not be hosted at Amazon (for now). Anyways, creating the Security Groups in EC2 doesn't change anything in my Amazon RDS console, I still can't find the Security Groups settings item in the left nav and thus cannot set CIDR/IP to 0.0.0.0/0.