Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS Security Groups - EC2 to RDS

Tags:

amazon-web-services

I wanted to ask about connecting EC2 to RDP in AWS.

I have added my EC2 Security Group (that contains the EC2 instances) into the Default RDP Group and Data is flowing - the connection works.

The EC2 Security group has Port 80 to 0.0.0.0/0 and SSH to my IP enabled.

I'm a touch concerned that by adding this EC2 group to the RDS Database it will allow Port 80 traffic from anywhere to access the Databases. Is this correct or wrong?

Do the rules in the EC2 apply to the RDS instances if you connect them like this?

I did read on the AWS websites that 'Database Security Groups only allow access to the database server port'. Can anyone confirm this is correct?

thankyou

like image 980
Adam Avatar asked Oct 01 '12 11:10

Adam

People also ask

Can we connect EC2 to RDS?

To connect to a private RDS DB instance from a local machine using an EC2 instance as a jump server, follow these steps: Launch and configure your EC2 instance and configure the network setting of the instance. Configure the RDS DB instance's security groups. Connect to the RDS DB instance from your local machine.

Which security group is used by AWS RDS?

It is possible to add an EC2 security group to your RDS security group. Any EC2 instances that are members of the EC2 security group are then able to access the RDS instances that are members of the RDS security group.

Does RDS need outbound security group?

The outbound "allow" rule in the database security group is not actually doing anything now. The database doesn't initiate connections, so nothing outbound should need to be allowed. This even remains true even in the case of replication within RDS.

2 Answers

You do not need to worry about additional ports being opened up on RDS server.

The EC2 security groups are just treated like an access control list when used in RDS DB security policies.

Basically what you are saying is that you want to let any instances which belong to specific EC2 security group have access to the RDS instances using that DB security groups policy.

The specific rules defined in the EC2 security groups do not matter.

This behavior basically just gives you a convenient way to easily allow access from a cluster of servers with some common association (their security group).

like image 188
Mike Brant Avatar answered Oct 18 '22 14:10

Mike Brant

Interested to know more on this as well. In practice I have never noticed "other traffic" getting to the RDS instance. Always assumed it was just the DB port that was allowed through to the RDS instance. Seems a little odd to allow other traffic through, in my opinion.

Overall, I think it is just the originating security group that is allowed through - it doesn't inherit the rules from the security group you allow.

I think it is the same as adding ingress from another security group, in that it allows traffic originating from that security group through, but not traffic that just happens to match one of the rules in the security group. (Its different than if you assign a security group to an instance on boot in that all traffic that matches will be allowed: not traffic originating from said security group assigned on bootup).

Example:

  • SGs:
    • WEB: Allows Port 80
    • DB: Allows DB PORT
    • HQ_ACCESS: Allows Port 22 & 80
    • SOME_OTHER_GROUP: Allows Port 443
  • Instances
    • InstanceA has security groups: WEB, DB, HQ_ACCESS
    • InstanceB has security groups: SOME_OTHER_GROUP
  • RDS
    • RDS instance allows any traffic from DB SG which would allow RDS to communicate with InstanceA but not InstanceB and would not allow any other traffic. If for some reason you added security group WEB or HQ_ACCESS to the RDS instance it would not allow port 80 or 22 traffic to get through but would allow InstanceA itself to communicate with it over the proper DB port.

Note: Security groups are easy to get confused with, so I hope this helps

like image 45
Matt R. Avatar answered Oct 18 '22 12:10

Matt R.
Sign in to Comment

Related questions

Customizing Amazon SNS email notifications
Amazon Cloudsearch : Filter if exists
How do I "associate an instance profile" with an environment on AWS?
neo4j produces "No authorization header supplied" error
Difference between Amazon S3 cross region replication and Cloudfront
How to get the access key with iam_module of Ansible?
AWS DynamoDB Python - boto3 Key() methods not recognized (Query)
AWS-Ubuntu-Git Setup error fatal: $HOME not set
AWS Aurora: how to restore a db cluster snapshot via aws cli?
How to use encrypted environment variables in AWS Lambda?
CloudFormation -- possible to have nested Mappings?
How can I import LambdaContext?
Connecting to AWS Postgres Instance For Django Backend
Can we filter messages from Amazon SQS queue by message attributes?
Why are "weird" TCP ports required for my AWS ECS app to pull from ECR?
Integrate existing AWS Cognito user pool into iOS project with Amplify
When I get 'services has reached steady state', in Amazon ECS does it means some tasks had stopped?
How to scale MongoDB?
AWS - Configuring access to EC2 instance from Beanstalk App
Amazon SNS -> SQS message body

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!