When you set up a new Elastic Beanstalk cluster you can access your EC2 instance by doing this:
eb ssh
However, it's not clear how to access the RDS instance.
How do you access an RDS in an Elastic Beanstalk context in order to perform CRUD operations?
The RDS command-line can be accessed from anywhere, by adjusting the RDS security group.
Check your AWS VPC configuration.
The security-group will need to be
adjusted to allow you to connect from a new source/port.
Find the security Group-id for the RDS.
Find that group in AWS Console > VPC > secuirty groups
Adjust the Inbound and Outbound Rules accordingly.
You need to allow access to/from the IP or security group that needs to connect to the RDS.
FROM: https://stackoverflow.com/a/37200075/1589379
After that, all that remains is configuring whatever local DB tool you would like to use to operate on the database.
EDIT:
Of additional note, if the ElasticBeanstalk Environment is configured to use RDS, the EC2 Instances will have environment variables set with the information needed to connect to the RDS.
This means that you can import those variables into any code that needs access.
Custom environment variables may also be set in Elastic Beanstalk Environment Configuration, and these too may be included this way.
PHP
define('RDS_HOSTNAME', getenv('RDS_HOSTNAME'));
$db = new rds(RDS_HOSTNAME);
Linux CommandLine
mysql --host=$RDS_HOSTNAME --port=$RDS_PORT -u $RDS_USERNAME -p$RDS_PASSWORD
RDS is a managed database service, which means it is that you can only access it through database calls.
If it is a MySQL database you can access through your EC2 instance through mysql like this:
mysql -u user -p password -h rds.instance.endpoint.region.rds.amazonaws.com
or set it up to work with your app with settings needed for that.
Make sure that you set up security groups correctly so that your EC2/other service has access to your RDS instance.
Update:
If you want what you are asking for then you should use an EC2 instance with a mysql server on. It would cost the same (even though a fraction of performance is lost in comparison). An EC2 instance you can turn off when you are not using as well.
Related
Before moving to Amazon Web Services, I was using Google Cloud Platform to develop my aplication, CloudSQL to be specific, and GCP have something called Cloud SQL Proxy that allows me to connect to my CloudSQL instance using my computer, instead of having to deploy my code to the server and then test it. How can I make the same thing using AWS?
I have a python environment on Elastic Beanstalk, that uses Amazon RDS.
AWS is deny be default so you cannot access an RDS instance outside of the VPC that your application is running in. With that being said... you can connect to the RDS instance via a VPN that can be stood up in EC2 that has rules open to the RDS instance. This would allow you to connect to the VPN on whatever developer machine and then access the RDS instance as if your dev box was in the VPC. This is my preferred method because it is more secure. Only those with access to the VPN have access to the RDS instance. This has worked well for me in a production sense.
The VPN provider that I use is https://aws.amazon.com/marketplace/pp/OpenVPN-Inc-OpenVPN-Access-Server/B00MI40CAE
Alternatively you could open up a hole in your VPC to the RDS instance and make it publicly available. I don't recommend this however because it will leave your RDS instance open to attack as it is publicly exposed.
You can expose your AWS RDS to the internet by proper VPC setting, I did it before.
But it has some risks
So usually you can use those ways to figure it out:
Create a local database server and restore snapshot from your AWS RDS
or use VPN to connect to your private subnet which hold your RDS
A couple people have suggested putting your RDS instance in a public subnet, and allowing access from the internet.
This is generally considered to be a bad idea, and should be the last resort.
So you have a couple of options for getting access to RDS in a private subnet.
The first option is to set up networking between your local network and your AWS VPC. You can do this with Direct Connect, or with a point-point VPN. But based on your question, this isn't something you feel comfortable with.
The second option is to set up a bastion server in the public subnet, and use ssh port forwarding to get local access to the RDS over the SSH tunnel.
You don't say if you on linux or Windows, but this can be accomplished on either OS.
What I did to solve was:
Go to Elastic Beanstalk console
Chose you aplication
Go to Configurations
Click on the endpoint of your database in Databases
Click on the identifier of your DB Instance
In security group rules click in the security groups
Click in the inbound tab
Click edit
Change type to All Traffic and source to Anywhere
Save
This way you can expose the RDS connected to your Elastic Beanstalk aplication to the internet, which is not recommended as people sugested, but it is what I was looking for.
You can add an RDS instance to an Elastic Beanstalk environment, but there is no option when you do this to have the RDS instance be encrypted. You can modify the RDS instance after it's launched, but you can't modify whether or not it's encrypted.
The amazon docs discuss creating an independent RDS instance and modifying security groups but this seems antithetical to Elastic Beanstalk.
Is there a way to get an encrypted RDS instance that is attached to an Elastic Beanstalk environment?
I do not recommend to create RDS instances from EB configuration panel. For most of the cases that may happen on your setup, it may won't be an issue, but when it comes to serious production setup, it may become a serious problem. RDS instances created from EB config panel are kind of merged to EB environment they were created in. It means that every time you delete your environment, system forces you to remove RDS instance as well. And that's not the way you want it to be, as environment should be the part you're not afraid to delete at any time.
Let's say you want to update your Multicontainer Docker setup, because there's an update going on. You would just clone current environment, then switch url and you're done. With RDS instances created as described above, you simply can't.
My advise is to create separate RDS instance, then add specific security group for this instance, and finally, add this security group in Configuration -> Instances -> EC2 security groups for EB environment, so it have access there. With that you can create encrypted instance of database and you can easily switch environment with no risk your database will be thrown away.
And if you're ok with standard environment variables for RDS, like RDS_DB_NAME etc. you can add the same in Configuration -> Software Configuration -> Environment Properties. That's how we do this for each production and serious server we're taking care of at work.
Yes. There is currently the following workaround:
Create a new encrypted RDS instance
Take a snapshot of this instance
Add an RDS instance to your Elastic Beanstalk environment based on this snapshot. The snapshot is encrypted, and thus the database created based on it is encrypted as well
In trying to move a website to operate via Elastic Beanstalk (ELB), I chose the t2 series of EC2 instances, and in doing so, was forced to create a Virtual Private Cloud (VPC). This site connects to a MySQL database via RDS, and I'm not having any luck getting the ELB site to access the database.
I've tried reviewing this:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html?icmpid=docs_elasticbeanstalk_console
The above link starts by saying "works great for development and testing environments, but is not ideal for a production environment", which confuses me as it doesn't say what would be better in its place - I need a database connected to the site!
It has all sorts of information and I tried several of the things it suggested regarding connecting to an existing database (not creating a new one). It mentions on step 6 of the "To modify the ingress rules on your RDS instance's security group" section to access the ingress tab, which doesn't exist for me.
I've tried editing the security group associated with the database via the RDS dashboard under "security groups", but it does not list the security groups that are associated with the VPC or the EC2 instance launched by ELB. I tried pushing the IP addresses, elastic IPs, and still can't get the site to see the database.
I'm at a loss. Can anyone explain how to connect an ELB distributed EC2 instance with an RDS database through the VPC required by t2 instances?
The statement that "This works great for development and testing environments, but is not ideal for a production environment" is just referring to having ElasticBeanstalk create the RDS instance for you. This can be done by configuring the "Database" section when creating a new EB environment.
The downside of letting EB create the RDS instance for you is that your web instance and database instance will be strongly connected, and if you ever terminate your web instance, your database will also be terminated, including all of your snapshots.
However, I think you're taking the "external" part of "external database" too literally. Your RDS instance should definitely be within the same VPC as your web instance. However, you should create it and connect your web instance to it manually. Connecting to the database involves setting five environment variables (listed below) and configuring the security group to allow connections from the web instance to the database.
The environment variables you'll need to set on your web instance are as follows:
RDS_HOSTNAME=instancename.region.rds.amazonaws.com
RDS_DB_NAME=databasename
RDS_PASSWORD=databasepassword
RDS_USERNAME=databaseuser
RDS_PORT=5432
Can someone please clearly explain in a step-by-step guide and in simple terms from start to finish how to properly setup a private RDS instance that connects to:
Elastic Beanstalk instance where the the environment is using a load balancing, auto scaling web server environment using PHP as it’s platform.
MySQL Workbench
Side note, the EB and RDS instance(s) are all in the same VPC. I suppose in reality this may be more of a how to properly setup and connect IAM profiles and roles question.
In essence, I want to restrict all internet access from the RDS instance, while still allowing my EB instance or other resources i.e other EC2 instances (all located in the same VPC) the ability to connect to the RDS instance, while also allowing me to use (connect to) a DB tool like MySQL Workbench.
Elastic Beanstalk Security Questions:
Instance Profile: How should I setup/config this role and it’s associated policy
Service Profile: How should I setup/config this role and it’s associated policy
RDS Security Questions:
VPC Security Groups: How should I setup/config this security group(s) to allow access from EB instance, other specified resources (EC2), and MySQL Workbench
I'm trying out AWS EC2 and RDS. I had followed this tutorial and it worked, but the tutorial is missing a database migration. https://www.youtube.com/watch?v=YJoOnKiSYws So, could someone point me in the right direction to continue with the database migration?
I've tried https://support.cloud.engineyard.com/entries/21009887-Access-Your-Database-Remotely-Through-an-SSH-Tunnel but it didn't work for me because of an RDS permission issue.
I've also tried the instructions on Amazon, http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html but it just confused me even more.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/MySQL.Procedural.Importing.NonRDSRepl.html
I've posted a message on AWS forum, but no one answered. And I was hoping that someone here can help me out. I just need some plain simple example such as
step1. From local pc export MySQL with mysqldump (done)
step2. Upload local mysqldump.sql file to EC2 (I don't know how to do)
step3. import mysqldump.sql on EC2 to RDS (I don't know how to do)
step4. connect django web app to use new MySQL database that has data dump (don't know how)
I really appreciate your help.
BTW, the data is in MySQL on my local computer running maverick OS (I hope that info is helpful).
If you are using RDS you don't have SSH access so creating an SSH tunnel is not an option.
So what's missing from your question is whether you are in a VPC or not, so assuming you are not in a VPC. In essence:
On the RDS security group, open the ingress EC2 security group that your EC2 instance you are going use to access the database with is in. For example, on the RDS console this shows up as the actual EC2 security group name
(To get to Security groups click RDS->Security Groups->Create DB Security Group, you first new to create an DB Security Group to see the screenshot above or you can use the default DB Security Group):
Dump your database on the server that you are running your original MySQL database. Hopefully this is the same server that is in the EC2 security group that you are allowing as an ingress on your RDS security group above: mysqldump -uroot -p <database-name> > database-name.sql
Load the database from the EC2 instance in EC2 security group allowed by RDS security group:
mysql -uroot -h<RDS-hostname> -p < database-name.sql
The RDS hostname is something like this: database-name.xxxxxxxxxx.us-east-1.rds.amazonaws.com
You don't have to connect to the RDS database to load a dump into it. But if you want to connect to it you can just run: mysql -uroot -p -h<RDS-hostname>
In case you you are in a VPC make sure that the EC2 instance that you are running the commands from is in the same VPC and subnet as your RDS instance. You have to create a VPC Subnet group for your VPC on the RDS console, this Subnet group has to be in two different Availability Zones if you are running a multi-az RDS instance. Other than that the procedure is the same.