I have an RDS database running (postgres) that I'm now trying to connect to an Elastic Beanstalk application. The connection times out.
I am guessing this has something to do with the VPC and security groups, but AWS continues to confuse me here and I'm kind of new to this. I'm trying follow this guide: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html?icmpid=docs_elasticbeanstalk_console
When I try to add the rds_launch_wizard security group to the EB instance, it tells me that the security group is not found. rds_launch_wizard is in a VPC, whereas the EB application is not.
I have tried going into the EB configuration, choosing Instance and trying to add a security group:
By name, this pops up an error saying that "I cannot add groups by name".
By group ID, this tells me group sg-xxxxx not found.
Similarly, I can't add the EB security group to RDS, as this is also not found
How do I get the two talking to each other?
You have two options:
Move the EB environment into the VPC
Enable ClassicLink so that your EC2 Classic instances inside your EB environment can talk to the VPC.
ClassicLink is the obvious quick fix, but I think you will eventually want to move everything into a VPC. The VPC is more secure and there are quite a few features and services now on AWS that require a VPC.
Related
I have a application on elastic beanstalk single instance ( we have not used loadblancer ). And we also have our newly created RDS ( rds created separately, not with elastic beanstalk ). Both are in same VPC but different security group.
Now as per this tutorial from aws - check here. I have added elastic beanstalks security group to rds's group as inbound rule. Now the documentation asks to do the same on elastic beanstalk. But the problem is that, if i apply the configuration changes then it cause to terminate the instance and recreate the instance.
Am not bothering about recreating, but the problem is that it deletes all installed repos and configuration ( certbot, and other repos ). Its not good we believe.
So is there any way to connect this without adding RDS security group to elastic beanstalk security group without terminating and recreating the instance ?
Should i edit elastic beanstalks security group and add Postgres inbound rule - like i did with rds ? Please advice.
This might be a duplicate of this post, but I wanted a separate question for my specific situation. Because none of the found answers on Stackoverflow have helped me so far.
I created an Elastic Beanstalk instance a while ago, complete with RDS instance, by following along with the Setup Wizard. But when I now try to upload new code to it I get the following error:
Environment update is starting.
Environment health has transitioned from Ok to Info. Application
update in progress (running for 2 seconds).
Service:AmazonCloudFormation, Message:Stack named
'awseb-e-gmz62hycax-stack' aborted operation. Current state:
'UPDATE_ROLLBACK_IN_PROGRESS' Reason: null
Updating RDS database named: xxxxxxxxxxxxxx failed Reason: DB Security
Groups can no longer be associated with this DB Instance. Use VPC
Security Groups instead.
In the Configuration section of the Elastic Beanstalk, under Security or Database I can't find any setting for DB Security Groups.
If I go to the RDS instance that this Elastic Beanstalk is using, under the Security group rules I see two Security Group - Inbound rules.
One with a name like:
awseb-e-abcde12345-stack-AWSEBSecurityGroup-123456ABCDE (sg-1234abcd)
And the other with a name like:
rds-awseb-e-abcde12345-stack-awsebrdsdbsecuritygroup-1234567abcdef-abcd (sg-4321dcba)
And the rest is all: CIDR/IP - Inbound.
Am I to remove/replace these Security Group - Inbound rules with VPC rules? Do I need to completely build a new Elastic Beanstalk, with other rules? And especially how to do this.
Also, all the security groups associated with this elastic beanstalk and RDS appear in the Security Groups section of the VPC Dashboard: https://eu-west-1.console.aws.amazon.com/vpc/home?region=eu-west-1#securityGroups:.
I am at a loss here. It feels like this should be very straightforward, since I created this with the Setup Wizard from AWS, but I can't figure it out. Anyone with some idea, please comment or answer, thanks!
The error clearly says, DB Security Groups can no longer be associated with this DB Instance.
Earlier in RDS, they were using a separate security group called DB Security group. Now everything moved to VPC security group. If you are using older AWS account, still you can see the DB security groups, but its not working now. So use VPC security group instead.
Best practice:
Launching RDS via Elastic Beanstalk or Cloudformation is not a good practice (particularly for production), because when you delete the CF template it'll remove all of your resources including the DB. And Beanstalk also will do the same on the new deployment.
Currently I have an application which is running on a normal Ubuntu EC-2 instance as well as an elasticbeanstalk environment running a Tomcat Web Application. There is a server on the EC-2 instance which must be accessible from the elasticbeanstalk application at all times.
The issue here is that I cannot associate the elasticbeanstalk application with a Security Group, I have tried adding an options.config file to the .ebextensions folder in the root web project containing the following:
option_settings:
- namespace: 'aws:autoscaling:launchconfiguration'
- option_name: SecurityGroups
- value: 'sg-XXXXXX'
But this doesn't work. The EC-2 instance always has a static IP-address, however, the instances accessing the EC-2 server is changing inside of AWS. I read that if two services are assigned to the same security group they will be able to communicate with eachother. The issue with that approach is that I cannot even change the security group of the elasticbeanstalk application whatsoever.
I cannot allow global access to the server either, it must be specific to the elasticbeanstalk environment only.
Due to circumstances I cannot dig into right now, we won't be able to launch the instances in a VPC for the moment, but we need the services running regardless.
I cannot find any decent documentation on how to achieve any of this, if any of you have a hunch I'd be more than happy to receive any suggestions or directions as to how to solve this issue.
All instances will be in a security group. It sounds like your beanstalk instances are probably in some default security group. You can view each instance in the EC2 console and see what security group they are in. Also, just having instances in the same security group does not guarantee that they can communicate with each other. Whoever told you that is wrong.
You just need to figure out what security groups your instances are in, and then modify the rules in the security group(s) to allow the appropriate access.
Also, note that you can't change an instance's security group after it has been created. You would have to terminate the instance and create a new one in the group you want. However, like I said, you shouldn't need to change the security groups at all in order to fix this issue.
I am faced with a chicken and egg problem. I currently have a server in EC2 classic, as well as an RDS instance -- in EC2 classic as well. The EC2 instances also interact with Cassandra cluster, which also resides in EC2 classic.
However, I need to move RDS into the VPC. Now, in an ideal world, I'd have all of my stuff in VPC at this point. However, that presents a major migration challenge and I'd like to minimize impact on users and keep steps to minimum -- this is mainly because of the Cassandra cluster.
It turns out that I cannot create security group rules between VPC and Non-VPC security groups.
So, how can I have RDS in VPC that my EC2 instances can access w/o having to open up my RDS to the entire world ?
Any help is greatly appreciated.
UPDATE: So, one idea I had is to assign elastic IPs to my EC2 instances and add IPs explicitly to the security group for RDS within VPC. Would that work ? (trying it now using https://github.com/skymill/aws-ec2-assign-elastic-ip)
Yes, unfortunately that's the only way to do it. You cannot use DNS in security groups, so you're stuck with IP address.
So, I ended up solving it exactly like I described -- assign elastic IPs to my EC2 instances and add IPs explicitly to the security group for RDS within VPC. It ended up working great.
I've created a new environment for my beanstalk app under a vpc.
I created a vpc with private and public subnets.
I've configured the security groups as outlined here:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-basic.html
The environment seemed to setup correctly but the status is red.
Clicking on monitor reveals no data for latency or requests.
The website url returns error code 503.
Not sure what to do
This is almost certainly an issue with not being able to communicate with the NAT. The documentation is a little ambiguous when it comes to configuring your .ebextensions config files.
Don't mess with the Network ACLs for the VPC. The infrastructure needs to be able to talk to itself.
The NAT instance & Beanstalk ELB need to be in the Public subnet (10.0.0.0/24)
The Beanstalk instances themselves need to be in the Private subnet (10.0.1.0/24)
The Security Group that you apply to the instances needs to also apply to the NAT. That Security Group also needs to be on its own Inbound list so that everything inside that SG can talk to each other.
Using curl, try to make outbound calls. First on the Bastion Host, then on the NAT, then on a Beanstalk instance. Are any of them unable to make outbound calls?
I just recently spent a couple of weeks trying to develop a CloudFormation template that handles this stuff. I think that most of it is still in my brain. I think.
If these troubleshooting steps don't help, let me know and I'll dig a little deeper.
When you created the VPC, I assume you did it using the wizard. In this situation, the NAT is configured to accept calls from "default" security group.
When you created the Elastic beanstalk environment, did you specify that you want the new instances to be on "default" security group?
Check if the new instance belongs to the VPC's default security group in EC2 management area. If it is not a member of default Security group, add this security group to your NAT's inbound connections.
There is a good AWS CloudFormation template example to create VPC with public and private subnets and the NATs:
https://github.com/awsdocs/elastic-beanstalk-samples/blob/9720e38e9da155752dce132a31d8e13a27364b83/cfn-templates/vpc-privatepublic.yaml
May be very useful for those having issues with such VPC configuration.
To deploy it to your AWS using cli:
aws cloudformation deploy --stack-name mystackname --template-file path/to/vpc-privatepublic.yaml
Or you can deploy from CloudFormation UI dashboard.