Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why might the CIDR/IP in DB security group be different from instance elastic IP?

I have an EC2 instance, which is able to connect to my RDS instance, yet its elastic IP does not appear in the DB security group of whitelisted IP's.

How might this be?

I ask because I have created a new instance, which I also want to whitelist and just entering its elastic IP does not seem like the way to do things since none of the other servers have their elastic IP listed.

Thanks in advance,

like image 245
rix Avatar asked May 03 '12 15:05

rix


People also ask

What is difference between elastic IP and Private IP?

Private IP remains same, whereas if an EC2 is designated with Elastic IP, both Elastic/Public IP will remain same. Terminate: Both Public and Private IP are released, whereas Elastic IP gets dissociated, which can be associated again with any other EC2 instance.

What is the difference between elastic IP and public IP?

Elastic IP is used when you are working on long time project and configuration of IP sometime consumes more time. Public IP is used when you are working on small projects and running 2-3 servers. Here in this situation you make use of IP for short time.

What is the advantage of using an elastic IP address for an instance in Amazon cloud briefly explain?

With an Elastic IP address, you can mask the failure of an instance by rapidly remapping the address to another instance in your VPC.

Which types of IP addresses are supported for elastic IP addresses?

An Elastic IP address is a public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet.


1 Answers

There might be two causes here:

Traffic Sources

Security Group Rules do not necessarily specify IP addresses as traffic sources alone, rather regularly will refer to other security groups as well:

The source can be an individual IP address (203.0.113.1), a range of addresses (e.g., 203.0.113.0/24), or an EC2 security group. The security group can be another group in your AWS account, a group in another AWS account, or the security group itself.

By specifying a security group as the source, you allow incoming traffic from all instances that belong to the source security group. [...] You might specify another security group in your account if you're creating a three-tier web service (see Creating a Three-Tier Web Service).

[emphasis mine]

Consequently, the DB security group of your Amazon RDS instance might refer to the EC2 security group used for your Amazon EC2 instance, implying respective access rights already. See my answer to AWS - Configuring access to EC2 instance from Beanstalk App for more details regarding this concept/approach.

Public vs. Private IP Addresses

You might see the effect of a little known, but nonetheless important and quite helpful feature of the AWS DNS infrastructure, see section Public and Private Addresses on page Using Instance IP Addresses:

Amazon EC2 also provides an internal DNS name and a public DNS name that map to the private and public IP addresses respectively. The internal DNS name can only be resolved within Amazon EC2. The public DNS name resolves to the public IP address outside the Amazon EC2 network and the private IP address within the Amazon EC2 network. [emphasis mine]

That is, it's resolving the public DNS (e.g. ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com) to the private IP address when you are using it inside the Amazon EC2 network, and to the public or elastic IP address when using it outside the Amazon EC2 network.

Accordingly, the various AWS products are usually wired up between each other by means of their private IP Addresses rather than external ones for a variety of reasons, most importantly network speed and cost (see my answer to AWS EC2 Elastic IPs bandwidth usage and charges for details).

Consequently, the DB security group of your Amazon RDS instance might refer to the private IP address of your Amazon EC2 instance, implying respective access rights accordingly.

like image 60
Steffen Opel Avatar answered Sep 20 '22 01:09

Steffen Opel