Menu
I'm trying to access a private RDS Instance from a different VPC using a Peering Connection. I have two VPCs:
172.20.0.0/16) with one public subnet172.17.0.0/16) with one public subnet (172.17.0.0/24) and 3 private subnets (172.17.{1,2,3}.0/24)VPC-RDS has 2 security groups (not actual names):
default, which accepts SSH from my IPdb, which accepts TCP over port 5432 from the default security group.I deploy my DB instances in VPC-RDS after creating a DB Subnet Group in the private subnets, and configure it to not be publicly accessible. To access it from my workstation, I create a small instance in the public subnet of VPC-RDS with the default security group, and create an SSH tunnel:
ssh -L 5432:rds-host-name.us-east-1.rds.amazonaws.com:5432 -i "KeyName.pem" [email protected]
I can access the RDS from my workstation via localhost.
I want to be able to access my RDS instance from my Kubernetes cluster (VPC-K8S). I set up a peering connection between the two, and configure the route tables appropriately (in VPC-K8S: 172.17.0.0/16 -> pcx-112233; VPC-RDS: 172.20.0.0/16 -> pcx-112233)
I cannot connect to RDS from one of my K8S nodes, or any instance in the K8S VPC. I suspected that it had something to do with the db security group, but even when I opened port 5432 to all IPs (0.0.0.0/0) it didn't help.
Any ideas how to do this, or is this only possible via a publicly accessible RDS instance or a Bastion host that is in VPC-RDS and the default SG?
641
To create a peering connection, go to the “Peering connections” section of your VPC dashboard. If you are in the AWS Directory Service account, enter the directory VPC as the requester VPC, then enter the account ID and VPC ID of your Amazon RDS account as the accepter VPC.
Your VPC is your private network. It is definitely best practice to have both the web servers and the database servers inside the same private network.
Stupid oversight, but I'll leave this up if it helps anyone.
My private subnets in VPC-RDS use a different route table than the public subnet. This is done so that internet addresses (for the catch all rule 0.0.0.0/0) point to the NAT gateway as opposed to the internet gateway in the public subnet.
I added a rule to the private subnets' route table for the peering connection (172.20.0.0/16 -> pcx-112233), and then configured the db security group to accept TCP traffic on port 5432 from 172.20.0.0/16.
179
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
