I need to create a read replica in a VPC of an RDS instance outside of the VPC
The instructions read ( http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html )-
To create a read replica from a source MySQL DB instance:
In the Destination DB Subnet Group box, specify a DB subnet group associated with a VPC if you want the read replica to be created in that VPC. Leave the box empty if you want the read replica to be created outside of any VPC. The VPC and DB subnet group must exist in the destination region. Within a given region, all read replicas created from the same source DB instance must be either:
Unfortunately this box doesn't show up in the gui
Using the CLI I get the following message:
A client error (DBSubnetGroupNotAllowedFault) occurred when calling the CreateDBInstanceReadReplica operation: DbSubnetGroupName should not be specified for read replicas that are created in the same region as the master
Is there something else I should be doing?
Can you post your CLI commands as well? It looks like you are making the CreateDBInstanceReplica request from the source region itself. You should be making the request from the target region.
For example, if you have an instance in us-east-1 and you want a new replica in us-west-2, then:
aws rds create-db-instance-read-replica \
--db-instance-identifier DBInstanceIdentifier \
--region us-west-2 \
--source-db-instance-identifier arn:aws:rds:us-east-1:123456789012:db:my-mysql-instance \
--source-region us-east-1 \
--kms-key-id my-us-east-1-key
Note that the CLI request is explicitly made for us-west-2, but source instance is us-east-1.
Related
I accidentally deleted all the default subnets in aws,I want to recreate default subnets。I make CLI command: "aws ec2 create-default-subnet --availability-zone us-west-2a"
,but always get the error message
"An error occurred (DefaultSubnetAlreadyExistsInAvailabilityZone) when calling the CreateDefaultSubnet operation: 'subnet-015c449cab525d947' is already the default subnet in us-west-2d."
how to solve this problem?
There is only one default subnet can exist in each availability zone, seems you already have yours on us-west-2a, login to you AWS account search for VPC > Subnets and delete what you have there, then you can re-create it with this command:
ws ec2 create-default-subnet --availability-zone us-west-2a
check AWS document fore more info:
https://aws.amazon.com/premiumsupport/knowledge-center/recreate-default-vpc/
The AWS CLI command to attach a security group to running EC2 instance is as below.
aws ec2 modify-instance-attribute --instance-id i-12345 --groups sg-12345 sg-67890
But the above command will remove the currently attached security groups and attach the new one.
I have a use case where there are 100+ servers and I have to attach a new security group to all those servers without detaching the current security groups.
How can I achieve this using the AWS CLI?
The --groups does a complete replacement based on the arguments passed & there's no way to bypass this behaviour so you'll need to implement the logic of getting the existing security groups (SGs), appending the new SG on & then passing that as an input to --groups.
Confirmed by aws ec2 modify-instance-attribute documentation:
--groups (list)
[EC2-VPC] Replaces the security groups of the instance with the specified security groups. You must specify at least one security group, even if it’s just the default security group for the VPC. You must specify the security group ID, not the security group name.
(string)
This command should store all of the security groups for an instance with ID i-12345 in $securitygroups:
securitygroups=$(aws ec2 describe-instances --instance-ids i-12345 --query "Reservations[].Instances[].SecurityGroups[].GroupId[]" --output text)
The output of echo $securitygroups will look something similar to this:
sg-074bb9206bd7edaf2 sg-07cd92995b937cbd2 sg-05414d9cef32901be
Given that your new security group ID is sg-67890, execute the below command to append the new SG ID onto the list of security groups that we want to set (the space is important & needed):
securitygroups+=" sg-67890"
The output of echo $securitygroups should now have the new SG ID appended:
sg-074bb9206bd7edaf2 sg-07cd92995b937cbd2 sg-05414d9cef32901be sg-67890
Finally, pass $securitygroups to the --groups option of aws ec2 modify-instance-attribute.
This variable will contain the existing assigned SG IDs as well as the new SG ID to be assigned so it'll be an assigning the new SG without unassigning any current SGs:
aws ec2 modify-instance-attribute --instance-id i-067a3aae02b8239e6 --groups $securitygroups
Put this in a loop for however many instances you have, problem solved.
I have a RDS database running in an AWS account. I'd like to copy it to another account to use as a base for a new deployment of the application. I use the CLI like so:
aws rds create-db-cluster-snapshot \
--db-cluster-snapshot-identifier snapid \
--db-cluster-identifier rdsid
This command succeeds (and if I log in into the AWS console, I can see the new snapshot). But when I try to modify its attributes using
aws rds modify-db-snapshot-attribute \
--db-snapshot-identifier snapid \
--attribute-name restore \
--values-to-add '["other_account_id"]'
Then I get the following error:
An error occurred (DBSnapshotNotFound) when calling the ModifyDBSnapshotAttribute operation: DBSnapshot not found: snapid
If I can share the snapshot, I could then create a new instance in the other account using this snapshot.
Is there a better way to share a RDS instance cross-accounts ?
You have mixed up API calls a bit. You should use one of the matching command pairs as shown below.
Aurora DB Cluster API
create-db-cluster-snapshot - Creates a snapshot of an Aurora DB cluster.
modify-db-cluster-snapshot-attribute - Adds an attribute and values to, or removes an attribute and values from, a manual DB cluster snapshot.
RDS DB API
create-db-snapshot - Creates a database snapshot.
modify-db-snapshot-attribute - Adds an attribute and values to, or removes an attribute and values from, a manual DB snapshot.
I've created a node.js application which connects to DynamoDB. Everything is working fine locally Now I'm trying to setup on AWS servers.
First I've created DynamoDB tables from AWS DynamoDB console. It is working fine.
I've created a new role from IAM management console > Roles to access DynamoDB. And attached that role to EC2 instance.
But when I fire any aws dynamodb cli command, it gave me error to mention the region.
So I went to IAM management console > Users, and created an access key to my admin type user.
Now I'm login to EC2 CLI using ec2-user and aws configure with previously generated access key.
AWS Access Key ID [None]: ACCESS KEY
AWS Secret Access Key [None]: SECRET
Default region name [None]: us-east-1
Default output format [None]: json
But when I use following command aws dynamodb list-tables. It gives no output, no error.
As I commented, The main issue was outbound rules for attached security group. Here are the necessary things to do
Set a security group outbound rule to HTTPS
Setup Credentials
Create Access Key from IAM management console > Users.
SSH to EC2 instance.
Configure the credentials to EC2 instance using aws configure command or directly modify ~/.aws/credentials file.
Attach Role
Create Role from IAM management console > Roles. Select the role which is necessary to perform operation on AWS service. Eg AmazonDynamoDBFullAccess
Open VPC console and select the EC2 instance.
Attach the role from Actions menu
It is good, though optional, to create VPC endpoint. If you face UnauthorizedOperation error while creating endpoint, assign AmazonEC2FullAccess permission to the user from IAM console. Remove it later if you don't need it.
To use the AWS service from your application, find the relevant endpoint from this list.
It sounds like you are having problems connecting to DynamoDB because of the way you have configured your VPC.
There are some options but if you would prefer to keep your VPC isolated from the internet then you could enable VPC endpoints for DynamoDB. That way you can access DynamoDB from within your VPC without those connections going over the public internet.
There is a step-by-step guide for how to do that here: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb.html
Essentially, it involves the following steps:
you have to get the VPC id for the VPC where your EC2 instance is located
create a VPC endpoint for DynamoDB, specifying the VPC id and the regional dynamodb service name:
aws ec2 create-vpc-endpoint --service-name com.amazonaws.<region>.dynamodb --vpc-id <yourvpcid>
when I click to Amazon RDS node I don't see any DB, even I have 2 instances up and running.
The Access Key ID I am using to connec to AWS belongs to a user that belongs to a group with these policies:
Group Policies:
AdministratorAccess
AmazonRDSFullAccess
AmazonEC2FullAccess
Change the region you are looking at to the same region your RDS instances reside in.