I'm new to AWS and RDS. I've combed through help files and other stackflow questions, but can't seem to find out if i'm doing something wrong.
When I go to my RDS Instance, I see
Security Groups:default( active )
I click default, and it takes me to the SG page, where I create new groups.
However, any rules I put in those new groups don't work, only the rules I put in the default group works. In some of the documentation, I see the screenshots and the beside the Security Groups on the instance page, it doesn't list default, but a user created group.
So is there some way to make all the new groups active or a way to change which group has precedence on that Instance page? Or am I going to have to put all my rules in the default group?
I had the same problem trying to modify security group right from the top-level view of instances. [The Postgres RDS setup has it backwards, having me create the instance and then telling me I have to do the security group thing, saying only "see startup guide" and providing a broken link to that. :)]
Anyway, I finally figured out I had to select the running instance and then under instance actions select "Modify" and then there is a nice friendly widget for changing the security group.
Update:
You can now change a RDS security group, see user115813's answer a few pixels under my original answer.
Please feel free to validate his answer instead of mine.
Related
the title says almost everything, but just to make it clear, I DON'T want to
(1) use the console, OR
(2) use the CLI,
I want to add a SG dynamically using nodejs. I am shocked that there is not an obvious answer to this in the AWS documentation, but, if there is, I certainly can't find it!
You do this through modifyNetworkInterfaceAttribute which takes Groups parameter:
Changes the security groups for the network interface. The new set of groups you specify replaces the current set. You must specify at least one group, even if it's just the default security group in the VPC. You must specify the ID of the security group, not the name.
So you have to get NetworkInterfaceId of your instance (an instance can have multiple interfaces) first. You can do that using describeInstances. Once you have the NetworkInterfaceId you modify their SGs using modifyNetworkInterfaceAttribute.
I'm creating EC2 machines in AWS using JClouds. The machines are created without any issues but they are put into a default security group created by JClouds. A typical default security group by JClouds will have the "jclouds#" prefix like here:
jclouds#euweawlt-c96-j40788-26
Since we have predefined security groups I want to use them instead.
According the link JClouds AWS guide this should be possible through a simple line of code:
template.getOptions().as(EC2TemplateOptions.class).securityGroups(group1, group2);
So I've added it to my code as well:
computeTemplate.getOptions().as(EC2TemplateOptions.class).securityGroups(securityGroup);
...where securityGroup is the name of our predefined security group.
The same documentation page states that this should be enough:
"With respect to the security group, jclouds creates a security group for you, with rules corresponding to the inboundPorts() option (defaults to open port 22), unless you use the option EC2TemplateOptions.securityGroups()."
The end result is that the EC2 machine is added to the security group specified by the above code AND the default "jcloud#..." security group as well. Hence JClouds does create a default security group after all.
I really want to get rid of that since we already have a security group, it is not removed when the machine is terminated and there have been exceptions thrown by the JClouds API due the security group not being available after creation, whatever that means.
Any pointers are welcome.
Looking at the code, it looks like you're right and jclouds will always create that security group by default. I think there is no current workaround for that and I'd suggest you report that as an issue in the jclouds JIRA.
I think the fix should be as easy as moving the highlighted lines into the previous else clause, but let's better open the issue so it can be properly tracked
I am following the AWS tutorial to create a Webapp here: http://docs.aws.amazon.com/gettingstarted/latest/wah-linux/getting-started-create-rds.html
I am stuck at the part 'Create a Security Group for Your DB Instance'.
The tutorial instructs you to start writing 'WebserverSG' into the IP source, and to select an option. However, even after completely typing 'WebserverSG', no such option is presented and I am unable to create the security group.
Is there a way to know the source without selecting it from the options? Alternatively, have I done something wrong for the option to not be presented?
This is my first time dealing with AWS; I don't have a concrete understanding of the purpose of security groups - so please bear this in mind!
Thanks in advance for any answers.
Are you going through the VPC area of the console or trying to edit it from within RDS? If I remember correctly you can only enter another Security Group as a source from within the VPC area.
This was fixed by: remaking the web server security group with the exact name WebServerSG, then making the database security group by starting typing the inbound IP with 'sg-...' instead of 'WebSe...'. Assigning the new security group to a similar instance has everything working.
I have an OpWorks stack setup with layers and instances.
On one of the layers I decided I needed a new security attached to it. I attached the group but it is not being applied to the EC2 instance.
Is there a command anywhere to perform the applying of the security group changes?
You've probably figured this out by now, but if anyone else stumbles over the same problem - you need to rebuild the EC2 instances in order for them to pick up the new security group assignment.
Changes within already assigned security groups are applied immediately, but security groups themselves get assigned to instances upon launch only.
Question: Is there a way to determine which AutoScaling Group a Launch Configuration is attached to.
Why do I need to know? I have a list of existing Launch Configurations and I want to delete one of them.
Undesirable Solutions:
I can get a list of all my AutoScaling Groups and look through each one to determine which Launch Configuration it is using.
I can just try to delete the Launch Configuration and then having the error tell me which AutoScaling Group it is attached to.
Desirable Solutions:
Query Launch Configuration and have it return which group it is attached to.
Query all AutoScaling Groups with the Launch Configuration name as a filter.
The answer as of this moment is that the solution I am looking for does not yet exist.
In light of this current lack I have proceeded to evaluate my Undesirable Solutions.
I first considered using a try/catch|except block and parsing the error when trying to delete a Launch Configuration that was attached to a group. The cost of parsing was more than I wanted to deal with so I decided to go with looping through the AutoScaling Groups and finding a match for each individual Launch Configuration.
While the solution is less than ideal, it is working quite nicely. I hope to post the code on GitHub shortly so that others can also benefit from it.
Update: 07 August 2013
Here is some code on GitHub that I have been working on. Hope it is helpful to others.