Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Permissions for EC2 created by Elastic Beanstalk connecting to external RDS

I am quite new to Elastic Beanstalk and not very proficient with server administration, but I need to set up a Django project on Elastic Beanstalk connecting to external RDS MySQL database.

I have created a separate RDS MySQL database and I can connect to it using Sequel Pro on my computer without problems. Then I have my Django project which I try to put to Elastic Beanstalk, but unfortunately without luck. If I run the local Django server from my computer, the project is browsable and Amazon RDS MySQL is accessible. However, when I run

eb deploy

I get

django.db.utils.OperationalError: (2003, "Can't connect to MySQL server
on 'myapp-staging.xxx.eu-west-1.rds.amazonaws.com' (110)")
(ElasticBeanstalk::ExternalInvocationError)

If I login to the EC2 server via SSH

eb ssh

and then check the open ports with

netstat -lntu

I don't see MySQL's port 3306 there, so I guess it is blocked by firewall.

This is what I tried regarding permissions:

  1. I went to RDS Dashboard -> Security Groups and created myapp-mysql-security-group with EC2 Security Group connection type pointing to EC2 security group used by Elastic Beanstalk EC2 instance “awseb-e-...”.
  2. I went to EC2 -> Security Groups and for “awseb-e-...” I set the Inbound MySQL port with source 0.0.0.0/0
  3. I went to VPC Dashboard -> Security Groups and created myapp-mysql-security-group with Inbound Rules of MySQL port with source 0.0.0.0/0.

Then I tried to redeploy, restart servers and even rebuild environment, but nothing helped. The MySQL port 3306 is still not open in the EC2 instances created by Elastic Beanstalk.

What am I doing wrong or what is missing?

like image 723
Aidas Bendoraitis Avatar asked Nov 16 '15 11:11

Aidas Bendoraitis


People also ask

How do I allow EC2 to access RDS?

To connect to a private RDS DB instance from a local machine using an EC2 instance as a jump server, follow these steps: Launch and configure your EC2 instance and configure the network setting of the instance. Configure the RDS DB instance's security groups. Connect to the RDS DB instance from your local machine.

How do I connect to an EC2 instance created by Beanstalk?

Make a note of an instance ID that you want to connect to. In the navigation pane of the Amazon EC2 console, choose Instances, and find your instance ID in the list. Right-click the instance ID for the Amazon EC2 instance running in your environment's load balancer, and then select Connect from the context menu.

Why can't I use Elastic Beanstalk with EC2 classic?

If you use EC2 Classic (no VPC) with AWS Elastic Beanstalk, the procedure changes slightly due to differences in how security groups work. In EC2 Classic, DB instances can't use EC2 security groups, so they get a DB security group that works only with Amazon RDS.

What AWS resources do I need to give to Elastic Beanstalk?

You need to give all specific permission to AWS resources those are used by Elastic Beanstalk to read and update the environment, including: CloudFormation EC2 Auto Scaling Group Elastic Load Balancer CloudWatch S3 SNS RDS SQS Elastic Beanstalk This is all required policy to allow IAM user access, update, deploy and ssh to Elastic Beanstalk:

How do I set up a RDS Database in Beanstalk?

There are two options to get started, which are the following. Create a new database in Amazon RDS. Start with a database that was previously created by Elastic Beanstalk and subsequently decoupled from a Beanstalk environment. For more information, see Adding a database to your Elastic Beanstalk environment.

Why is Elastic Beanstalk unable to delete the environment's security group?

Subsequently, when you attempt to terminate the environment, Elastic Beanstalk will be unable to delete the environment's security group, because the database's security group is dependent on it.


1 Answers

MySQL port 3306 is only opened at the RDS instance (not in your EC2 instance). So, if you check on your EC2 instance, it should not listen on port 3306.

Things those you can do to check RDS is working:

  • Check your EC2 instance connection to RDS.
    • SSH to your instance (eb ssh) and run telnet myapp-staging.xxx.eu-west-1.rds.amazonaws.com 3306. You might need to install telnet first (yum install telnet).
    • If it's success, check your app.
    • If it's failed, check on next point.
  • Make sure your RDS and EC2 placement is correct:
    • For private only access RDS:
      • Make sure they are in same VPC and allow incoming connection in RDS from VPC's IP to 3306. For better performance, use IP address instead of Security Group name.
      • If they are on different VPC, you can create VPC Peering.
    • For public access RDS:
      • Same as above, allow incoming connection from VPC's IP.
  • Make sure EC2 instances are allowed to make outgoing connection to port 3306 in EC2 security group.
  • Make sure your EC2 host doesn't have denied 3306 rule in iptables.
  • If your EC2 and RDS in different VPC and you use private IP for your EC2, check the NAT server. Make sure you allow port 3306 to be proxified.
like image 170
Edward Samuel Avatar answered Oct 31 '22 06:10

Edward Samuel