I am pretty new to AWS.
I have an EC2 instance running a Java web app on Tomcat, and I need to connect it to an Oracle RDS instance. The intances are in the same region.
what are the performance associated with the communication between two instances? Are they the same that I would see if both istances would run in my home LAN?
what about security of RDS instance? If I open port 1521 in the security group (for allowing access to EC2 instance), then the db instance will be exposed to public network?
Do you think that for such situation would be better a VPC?
Thank you
I have not made any specific measurements, but the connection speed between RDS and EC2 should be very good. Just make sure that the machines are set up in the same availability zone.
Regarding security, you can also specify that access to your RDS machine should be open for specific EC2 groups, so normally the port won't be open publically.
P1) Make sure EC2 and RDS are in same AZ
P2) Make sure you use bigger instance types for NW bandwidth between them
P3) Add PIOPS to RDS if your app demands performance
Related
Given Amazon workplaces is built on top of ec2, amazon workplaces is less flexible and more expensive vs ec2. How do they compare in terms of internet security? If Amazon workplaces is more secured, is there a way to DIY enhance ec2 instance so that the security level will get close to amazon workplaces? many thanks.
They both run Windows server, so the OS security is the same.
In WorkSpaces, there are two network connections -- one for the user to connect via the WorkSpaces client, and one connected to a VPC. Therefore, both EC2 and WorkSpaces can use Security Groups, NACLs and VPCs to manage security.
So, no real difference in terms of security unless you require connections to only come from a particular network/VPN connection.
If one has a publicly accessible rds database on aws, and wants to instead use a bastion ec2 instance to access and perform database functions (anyone on the internet should be able to use the app and perform database functions in accordance with the features provided by the app), how should one go about performing this shift? I have tried searching the internet but often I get loads of information with terminology that isn't entirely easy to digest. Any assistance would be greatly appreciated.
Again, I want the general public to be able to use and access the app's provided db functions, but not have them be able to access the database directly.
A typical 3-tier architecture is:
A Load Balancer across public subnets, which sends traffic to...
Multiple Amazon EC2 instances in private subnets, preferable provisioned through Amazon EC2 Auto Scaling, which can scale based on demand and can also replace failed instances, which are all talking to...
A Database in a private subnet, preferably in Multi-AZ mode, which means that a failure in the database or in an Availability Zone will not lose any data
However, your application may not require this much infrastructure. For low-usage applications, you could just use:
An Amazon EC2 instance as your application server running in a public subnet
An Amazon RDS database in a private subnet, with a security group configured to permit access from the Amazon EC2 instance
Users would connect to your application server. The application server would connect to the database. Users would have no direct access to the database.
However, YOU might require access to the database for administration and testing purposes. Since the database is in a private subnet, it is not reachable from the Internet. To provide you with access, you could launch another Amazon EC2 instance in a public subnet, with a security group configured to permit you to access the instance. This instance "sticks out" on the Internet, and is thus called a Bastion server (named after the part of a castle wall that sticks out to allow archers to fire on invaders climbing the caste wall).
You can use port forwarding to connect to the Bastion server and then through to the database. For example:
ssh -i key.pem ec2-user#BASTION-IP -L 3306:DATABASE-DNS-NAME:3306
This configures the SSH connection to forward localhost:3306 to port 3306 on the named database server. This allows your local machine to talk to the database via the Bastion server.
You will need to create private subnets for this and update DBsubnet groups accordingly with private subnets only. Moreover in DB security group add bastion and app instances security group as source for db port.
Like if you're using mysql engine, allow 3306 for target instances secuirty group id's.
Before moving to Amazon Web Services, I was using Google Cloud Platform to develop my aplication, CloudSQL to be specific, and GCP have something called Cloud SQL Proxy that allows me to connect to my CloudSQL instance using my computer, instead of having to deploy my code to the server and then test it. How can I make the same thing using AWS?
I have a python environment on Elastic Beanstalk, that uses Amazon RDS.
AWS is deny be default so you cannot access an RDS instance outside of the VPC that your application is running in. With that being said... you can connect to the RDS instance via a VPN that can be stood up in EC2 that has rules open to the RDS instance. This would allow you to connect to the VPN on whatever developer machine and then access the RDS instance as if your dev box was in the VPC. This is my preferred method because it is more secure. Only those with access to the VPN have access to the RDS instance. This has worked well for me in a production sense.
The VPN provider that I use is https://aws.amazon.com/marketplace/pp/OpenVPN-Inc-OpenVPN-Access-Server/B00MI40CAE
Alternatively you could open up a hole in your VPC to the RDS instance and make it publicly available. I don't recommend this however because it will leave your RDS instance open to attack as it is publicly exposed.
You can expose your AWS RDS to the internet by proper VPC setting, I did it before.
But it has some risks
So usually you can use those ways to figure it out:
Create a local database server and restore snapshot from your AWS RDS
or use VPN to connect to your private subnet which hold your RDS
A couple people have suggested putting your RDS instance in a public subnet, and allowing access from the internet.
This is generally considered to be a bad idea, and should be the last resort.
So you have a couple of options for getting access to RDS in a private subnet.
The first option is to set up networking between your local network and your AWS VPC. You can do this with Direct Connect, or with a point-point VPN. But based on your question, this isn't something you feel comfortable with.
The second option is to set up a bastion server in the public subnet, and use ssh port forwarding to get local access to the RDS over the SSH tunnel.
You don't say if you on linux or Windows, but this can be accomplished on either OS.
What I did to solve was:
Go to Elastic Beanstalk console
Chose you aplication
Go to Configurations
Click on the endpoint of your database in Databases
Click on the identifier of your DB Instance
In security group rules click in the security groups
Click in the inbound tab
Click edit
Change type to All Traffic and source to Anywhere
Save
This way you can expose the RDS connected to your Elastic Beanstalk aplication to the internet, which is not recommended as people sugested, but it is what I was looking for.
AWS offers the option to run VMs on hardware hosts that are dedicated to a single customer (for compliance purposes, added security, etc).
This is available when using their Amazon EC2 Dedicated Instances
My question is: Do they offer similar hardware-level single-tenancy in their managed DB services ? (AWS RDS. For example using Oracle, or MySQL)
I looked for that option but cannot find it anywhere.
To run RDS on dedicated hardware, you need to create a dedicated VPC and then launch the RDS instance into that VPC. You also need to choose a DB instance class that is an approved EC2 dedicated instance type e.g. db.m3.medium.
For more, see Working with a DB Instance in a VPC.
I'm trying to ping my newly set up AWS RDS instance, but I am unable to do so (four "Request timed out" errors).
I added a rule in my EC2 security group for the instance, allowing all ICMP but it still does not work.
I am new to this, so apologies if I'm missing something obvious. Thanks!
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easy to set up, operate, and scale a relational database in the cloud.
With that said, it is not a host that you can ping. In fact many instances of the database product could reside on one virtual machine; the infrastructure behind this is hidden from user.
EC2 security group should work, for EC2 server; are you pinging the EC2 instance correctly? The security rule should be setup as the picture here