Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Accessing RDS from within a Docker container not getting through security group?

I'm attempting to run a webserver that uses an RDS database with EC2 inside a docker container.

I've setup the security groups so the EC2 host's role is allowed to access the RDS and if I try to access it from the host machine directly everything works correctly.

However, when I run a simple container on the host and attempt to access the RDS, it get's blocked as if the security group weren't letting it through. After a bunch of trial and error it seemed that indeed the containers requests aren't appearing to come from the EC2 host so the firewall says no.

I was able to work around this in the short-run by setting --net=host on the docker container, however this breaks a lot of great docker networking functionality like being able to map ports (ie, now I need to make sure each instance of the container listens on a different port by hand).

Has anyone found a way around this? It seems like a pretty big limitation to running containers in AWS if you're actually using any AWS resources.

like image 938
Alex Schokking Avatar asked Oct 01 '15 17:10

Alex Schokking


People also ask

Can not connect to RDS from EC2?

Usually this means a firewall or security group is ignoring or dropping packets. Check to make sure you're not using iptables or a NAT gateway between your host and the RDS instance. If you're in a VPC, also make sure you allow egress/outbound traffic from the source host.

Does AWS RDS have security group?

Amazon RDS security groups enable you to manage network access to your Amazon RDS instances. With security groups, you specify sets of IP addresses using CIDR notation, and only network traffic originating from these addresses is recognized by your Amazon RDS instance.

Can you remote into a Docker container?

The SSH method works fine for Docker containers, too. That said, you can SSH into a Docker container using Docker's built-in docker exec . If you do not need an interactive shell, you can also use the docker attach command to connect the host's stdin and stdout to the running container and execute remote commands.


1 Answers

Yes, containers do hit the public IPs of RDS. But you do not need to tune low-level Docker options to allow your containers to talk to RDS. The ECS cluster and the RDS instance have to be in the same VPC and then access can be configured through security groups. The easiest way to do this is to:

  1. Navigate to the RDS instances page
  2. Select the DB instance and drill in to see details
  3. Click on the security group id
  4. Navigate over to the Inbound tab and choose Edit
  5. And ensure there is a rule of type MySQL/Aurora with source Custom
  6. When entering the custom source, just start typing in the name of the ECS cluster and the security group name will be auto-completed for you

This tutorial has screenshots that illustrate where to go.

Full disclosure: This tutorial features containers from Bitnami and I work for Bitnami. However the thoughts expressed here are my own and not the opinion of Bitnami.

like image 200
Neal Avatar answered Oct 13 '22 00:10

Neal