Menu
I'm totally throwing my hands up with this one. I've been trying to create a publicly accessible RDS instance using CloudFormation. I want to be able to connect to my instance via a mysql client. When I deploy this stack it says that the instance is publicly accessible in the RDS console, but I can't connect to via the endpoint provided in the RDS console. I'm guessing that I messed up/missed something with the VPC pieces. He's my stack.yaml file:
Resources:
Vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
Tags:
- Key: Name
Value: 'VPC created by cf'
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Created By CF
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref Vpc
InternetGatewayId: !Ref InternetGateway
DataSourceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
VpcId: !Ref Vpc
DSSGIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: "3306"
ToPort: "3306"
GroupId: !Ref DataSourceSecurityGroup
IpProtocol: tcp
SourceSecurityGroupId: !Ref DataSourceSecurityGroup
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
CidrBlock: 10.0.0.0/20
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1b
CidrBlock: 10.0.16.0/20
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref Vpc
Tags:
- Key: Name
Value: 'RouteTable created by CF'
RouteTable1Association:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref RouteTable
RouteTable2Association:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet2
RouteTableId: !Ref RouteTable
InternetRouteRule:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
DataSourceSubtNetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: Created by CF
SubnetIds:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
DataSource:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.m1.small
DBName: MyDb
DBSubnetGroupName: !Ref DataSourceSubtNetGroup
Engine: MySQL
MasterUsername: AdminUser
MasterUserPassword: AdminPassword
PubliclyAccessible: true
VPCSecurityGroups:
- !Ref DataSourceSecurityGroup
DeletionPolicy: Snapshot
Thanks
256
It is recommended that RDS instance should not be publicly accessible to other services and resources in AWS. Public RDS instance means that other AWS users can access your database instance which can lead to misuse of the data.
Description. Publicly accessible RDS instances allow any AWS user or anonymous user access to the data in the database.
Your DataSourceSecurityGroup security group is currently configured as:
That is, it will allow inbound connections from any Amazon EC2 instance that is itself a member of the DataSourceSecurityGroup security group.
If you wanted to allow access from anywhere on the Internet, then change your template to permit inbound access from 0.0.0.0/0:
DSSGIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: "3306"
ToPort: "3306"
GroupId: !Ref DataSourceSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
I made this change, tested your template and it worked fine.
For future reference: You can debug this type of thing by creating the stack and then examining the Security Group in the management console.
87
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
