Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Access Private RDS DB From Another VPC

Tags:

ssh

postgresql

amazon-web-services

amazon-vpc

amazon-rds

I'm trying to access a private RDS Instance from a different VPC using a Peering Connection. I have two VPCs:

  1. VPC-K8S (172.20.0.0/16) with one public subnet
  2. VPC-RDS (172.17.0.0/16) with one public subnet (172.17.0.0/24) and 3 private subnets (172.17.{1,2,3}.0/24)

VPC-RDS has 2 security groups (not actual names):

  1. default, which accepts SSH from my IP
  2. db, which accepts TCP over port 5432 from the default security group.

I deploy my DB instances in VPC-RDS after creating a DB Subnet Group in the private subnets, and configure it to not be publicly accessible. To access it from my workstation, I create a small instance in the public subnet of VPC-RDS with the default security group, and create an SSH tunnel:

ssh -L 5432:rds-host-name.us-east-1.rds.amazonaws.com:5432  -i "KeyName.pem"  [email protected]

I can access the RDS from my workstation via localhost.

I want to be able to access my RDS instance from my Kubernetes cluster (VPC-K8S). I set up a peering connection between the two, and configure the route tables appropriately (in VPC-K8S: 172.17.0.0/16 -> pcx-112233; VPC-RDS: 172.20.0.0/16 -> pcx-112233)

I cannot connect to RDS from one of my K8S nodes, or any instance in the K8S VPC. I suspected that it had something to do with the db security group, but even when I opened port 5432 to all IPs (0.0.0.0/0) it didn't help.

Any ideas how to do this, or is this only possible via a publicly accessible RDS instance or a Bastion host that is in VPC-RDS and the default SG?

like image 641
thegeebe Avatar asked Nov 08 '16 16:11

thegeebe

People also ask

How do I access my RDS from another AWS account?

To create a peering connection, go to the “Peering connections” section of your VPC dashboard. If you are in the AWS Directory Service account, enter the directory VPC as the requester VPC, then enter the account ID and VPC ID of your Amazon RDS account as the accepter VPC.

Should database be in separate VPC?

Your VPC is your private network. It is definitely best practice to have both the web servers and the database servers inside the same private network.

1 Answers

Stupid oversight, but I'll leave this up if it helps anyone.

My private subnets in VPC-RDS use a different route table than the public subnet. This is done so that internet addresses (for the catch all rule 0.0.0.0/0) point to the NAT gateway as opposed to the internet gateway in the public subnet.

I added a rule to the private subnets' route table for the peering connection (172.20.0.0/16 -> pcx-112233), and then configured the db security group to accept TCP traffic on port 5432 from 172.20.0.0/16.

like image 179
thegeebe Avatar answered Oct 08 '22 04:10

thegeebe
Sign in to Comment

Related questions

Aggregate function to detect trend in PostgreSQL
How to run in-line SQL script in the command line?
SqlAlchemy: Querying the length json field having an array
Show data in table from Rails Console for PostgreSQL
PostgreSQL does not use a partial index
Handling paging with changing sort orders
Why does pg_restore return "options -d/--dbname and -f/--file cannot be used together"?
Using ASCII 31 field separator character as Postgresql COPY delimiter
PostgreSQL - restored database smaller than original
How to remove duplicate rows with foreign keys dependencies?
INNER JOIN where **every** row must match the WHERE clause?
postgresql ignore milliseconds from timestamp when doing a select statement
Can not connect to Postgres Container from pgAdmin
PostgreSQL: convert hex string of a very large number to a NUMERIC
How to use postgres ::date with knex.js
Cast old string values to datetime with migration in Rails PostgreSQL
Concatenate in PostgreSQL
Postgres: aggregate column into array
Find closest point in Pandas DataFrames
Group by day of week

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!