Currently I have an application which is running on a normal Ubuntu EC-2 instance as well as an elasticbeanstalk environment running a Tomcat Web Application. There is a server on the EC-2 instance which must be accessible from the elasticbeanstalk application at all times.
The issue here is that I cannot associate the elasticbeanstalk application with a Security Group, I have tried adding an options.config file to the .ebextensions folder in the root web project containing the following:
option_settings:
- namespace: 'aws:autoscaling:launchconfiguration'
- option_name: SecurityGroups
- value: 'sg-XXXXXX'
But this doesn't work. The EC-2 instance always has a static IP-address, however, the instances accessing the EC-2 server is changing inside of AWS. I read that if two services are assigned to the same security group they will be able to communicate with eachother. The issue with that approach is that I cannot even change the security group of the elasticbeanstalk application whatsoever.
I cannot allow global access to the server either, it must be specific to the elasticbeanstalk environment only.
Due to circumstances I cannot dig into right now, we won't be able to launch the instances in a VPC for the moment, but we need the services running regardless.
I cannot find any decent documentation on how to achieve any of this, if any of you have a hunch I'd be more than happy to receive any suggestions or directions as to how to solve this issue.
All instances will be in a security group. It sounds like your beanstalk instances are probably in some default security group. You can view each instance in the EC2 console and see what security group they are in. Also, just having instances in the same security group does not guarantee that they can communicate with each other. Whoever told you that is wrong.
You just need to figure out what security groups your instances are in, and then modify the rules in the security group(s) to allow the appropriate access.
Also, note that you can't change an instance's security group after it has been created. You would have to terminate the instance and create a new one in the group you want. However, like I said, you shouldn't need to change the security groups at all in order to fix this issue.
Related
This might be a duplicate of this post, but I wanted a separate question for my specific situation. Because none of the found answers on Stackoverflow have helped me so far.
I created an Elastic Beanstalk instance a while ago, complete with RDS instance, by following along with the Setup Wizard. But when I now try to upload new code to it I get the following error:
Environment update is starting.
Environment health has transitioned from Ok to Info. Application
update in progress (running for 2 seconds).
Service:AmazonCloudFormation, Message:Stack named
'awseb-e-gmz62hycax-stack' aborted operation. Current state:
'UPDATE_ROLLBACK_IN_PROGRESS' Reason: null
Updating RDS database named: xxxxxxxxxxxxxx failed Reason: DB Security
Groups can no longer be associated with this DB Instance. Use VPC
Security Groups instead.
In the Configuration section of the Elastic Beanstalk, under Security or Database I can't find any setting for DB Security Groups.
If I go to the RDS instance that this Elastic Beanstalk is using, under the Security group rules I see two Security Group - Inbound rules.
One with a name like:
awseb-e-abcde12345-stack-AWSEBSecurityGroup-123456ABCDE (sg-1234abcd)
And the other with a name like:
rds-awseb-e-abcde12345-stack-awsebrdsdbsecuritygroup-1234567abcdef-abcd (sg-4321dcba)
And the rest is all: CIDR/IP - Inbound.
Am I to remove/replace these Security Group - Inbound rules with VPC rules? Do I need to completely build a new Elastic Beanstalk, with other rules? And especially how to do this.
Also, all the security groups associated with this elastic beanstalk and RDS appear in the Security Groups section of the VPC Dashboard: https://eu-west-1.console.aws.amazon.com/vpc/home?region=eu-west-1#securityGroups:.
I am at a loss here. It feels like this should be very straightforward, since I created this with the Setup Wizard from AWS, but I can't figure it out. Anyone with some idea, please comment or answer, thanks!
The error clearly says, DB Security Groups can no longer be associated with this DB Instance.
Earlier in RDS, they were using a separate security group called DB Security group. Now everything moved to VPC security group. If you are using older AWS account, still you can see the DB security groups, but its not working now. So use VPC security group instead.
Best practice:
Launching RDS via Elastic Beanstalk or Cloudformation is not a good practice (particularly for production), because when you delete the CF template it'll remove all of your resources including the DB. And Beanstalk also will do the same on the new deployment.
In trying to move a website to operate via Elastic Beanstalk (ELB), I chose the t2 series of EC2 instances, and in doing so, was forced to create a Virtual Private Cloud (VPC). This site connects to a MySQL database via RDS, and I'm not having any luck getting the ELB site to access the database.
I've tried reviewing this:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html?icmpid=docs_elasticbeanstalk_console
The above link starts by saying "works great for development and testing environments, but is not ideal for a production environment", which confuses me as it doesn't say what would be better in its place - I need a database connected to the site!
It has all sorts of information and I tried several of the things it suggested regarding connecting to an existing database (not creating a new one). It mentions on step 6 of the "To modify the ingress rules on your RDS instance's security group" section to access the ingress tab, which doesn't exist for me.
I've tried editing the security group associated with the database via the RDS dashboard under "security groups", but it does not list the security groups that are associated with the VPC or the EC2 instance launched by ELB. I tried pushing the IP addresses, elastic IPs, and still can't get the site to see the database.
I'm at a loss. Can anyone explain how to connect an ELB distributed EC2 instance with an RDS database through the VPC required by t2 instances?
The statement that "This works great for development and testing environments, but is not ideal for a production environment" is just referring to having ElasticBeanstalk create the RDS instance for you. This can be done by configuring the "Database" section when creating a new EB environment.
The downside of letting EB create the RDS instance for you is that your web instance and database instance will be strongly connected, and if you ever terminate your web instance, your database will also be terminated, including all of your snapshots.
However, I think you're taking the "external" part of "external database" too literally. Your RDS instance should definitely be within the same VPC as your web instance. However, you should create it and connect your web instance to it manually. Connecting to the database involves setting five environment variables (listed below) and configuring the security group to allow connections from the web instance to the database.
The environment variables you'll need to set on your web instance are as follows:
RDS_HOSTNAME=instancename.region.rds.amazonaws.com
RDS_DB_NAME=databasename
RDS_PASSWORD=databasepassword
RDS_USERNAME=databaseuser
RDS_PORT=5432
I have an RDS database running (postgres) that I'm now trying to connect to an Elastic Beanstalk application. The connection times out.
I am guessing this has something to do with the VPC and security groups, but AWS continues to confuse me here and I'm kind of new to this. I'm trying follow this guide: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html?icmpid=docs_elasticbeanstalk_console
When I try to add the rds_launch_wizard security group to the EB instance, it tells me that the security group is not found. rds_launch_wizard is in a VPC, whereas the EB application is not.
I have tried going into the EB configuration, choosing Instance and trying to add a security group:
By name, this pops up an error saying that "I cannot add groups by name".
By group ID, this tells me group sg-xxxxx not found.
Similarly, I can't add the EB security group to RDS, as this is also not found
How do I get the two talking to each other?
You have two options:
Move the EB environment into the VPC
Enable ClassicLink so that your EC2 Classic instances inside your EB environment can talk to the VPC.
ClassicLink is the obvious quick fix, but I think you will eventually want to move everything into a VPC. The VPC is more secure and there are quite a few features and services now on AWS that require a VPC.
Few questions:
Are us-east-1a, us-east-1b, and us-east-1d considered one or three availability zone?
Say I have two instances within us-east-1a, one has a mongodb server, the other has a nodejs app. Do I need to add permissions for port 27017 (mongodb) to the security group for the app server to connect to the mongo server?
Same question as above, but say one server is in us-east-1a and the other is in us-east-1b. Do I need to modify the security group?
Would the VPC or Subnet ID have any effects on communication between instances?
edit
moved to Server Faults
1) 3
2) Yes.
3) Yes
4) If you are using a VPC and trying to communicate outside of the VPC, you'll need to add a NAT box in that VPC. Then you'll obviously have to make security group changes. If you are trying to communicate inside of the VPC, it's easier since you won't need to create a NAT box, but you will still need to make security group changes. No matter what, you have to create security group changes if you want to communicate outside of ssh.
Side Note: You can use the instanceID in the security groups instead of IP addresses. This can be handy for a variety of reasons.
So for reasons Id rather not go into, my DB is on an EC2 instance in eu-west-1 and I have created a beanstalk app on us-east-1. Id like my app to talk to that EC2 instance on a MySQL port (3306).
Can anyone assist with how Id set this up, what ingress rules I need to setup on the EC2 security group? Given that I will have multiple versions of the app in beanstalk, the IP address may change regularly (after environment rebuilds etc).
The important concept regarding Security Group Rules you might be missing is, that you do not necessarily specify IP addresses as traffic sources alone, rather regularly will refer to other security groups as well:
The source can be an individual IP address (203.0.113.1), a range of
addresses (e.g., 203.0.113.0/24), or an EC2 security group. The
security group can be another group in your AWS account, a group in
another AWS account, or the security group itself.
By specifying a security group as the source, you allow incoming
traffic from all instances that belong to the source security group.
[...] You might specify another security group in your account if you're creating a
three-tier web service (see Creating a Three-Tier Web Service).
[emphasis mine]
Consequently you'll simply need to add the Beanstalk app instances security group as a traffic source for TCP port 3306 within the MySQL instance security group.
Taking this further
An additional concept to make oneself familiar with is, that you can have multiple security groups assigned to an instance, thus enabling (possibly dynamic) composition of the resulting firewall.
For example, a recommended practice for larger architectures suggests to specify a dedicated security group per 'role' your instances have (rather than accumulating several rules within one security group as usual), e.g. we have security groups like 'role-ssh' (TCP port 22) and 'role-mysql' (TCP port 3306), which are assigned to EC2 instances as needed in turn. You can read more about this concept in e.g. Security Groups - Most Underappreciated Feature of Amazon EC2.