0

My setup is very similar to the one presented here - Why can't I connect AWS RDS instance from EC2 instance in another VPC after peering

I have 2 VPC's VPC A and VPC B

I have an RDS instance and an EC2 instance (EC2 A) in VPC A - I can access the RDS instance from EC2 A by running something like mysql -u sa -pPASSWORD -h db-prod.sdfsdfewfwe.us-east-2.rds.amazonaws.com

I have another EC2 instance (EC2 B) in VPC B and I'd like to be able to run the same mysql command to access the RDS instance.

I set up a peering connection between VPC A and VPC B so my route table looks like the following:

RDS VPC
Destination      Target
172.31.0.0/16    local
10.0.0.0/16      pcx-xyz123

EC2 VPC
Destination      Target
10.0.0.0/16      local
172.31.0.0/16    pcx-xyz123

I can now ssh from VPC A -> VPC B and vice versa, but I still cannot access the RDS instance.

The only way I am able to do it is to set up an SSH tunnel like so:

ssh -i "key.pem" ubuntu@172.31.0.0 -L 3307:db-prod.sdfsdfewfwe.us-east-2.rds.amazonaws.com:3306 -N

I can then access the RDS from VPC B by running:

mysql -u sa -pPASSWORD -h 127.0.0.1 -P 3307

I would like to avoid this, and set up my networking properly to resolve the RDS access from VPC B

Update:

@detzu Thanks for the response.

RDS has 2 subnets, db-subnet and accessible-subnet

accessible-subnet:

11.234.52.0/24     local
11.234.53.0/24     local
11.241.52.0/24     pcx-034d57cb727bbf9ec
0.0.0.0/0          igw-003f4bff3126fc2e9

db-subnet:

11.234.52.0/24     local
11.234.53.0/24     local
11.241.52.0/24     pcx-034d57cb727bbf9ec
0.0.0.0/0          igw-003f4bff3126fc2e9

VPC B has one subnet inaccessible-subnet:

11.234.52.0/24     pcx-034d57cb727bbf9ec
11.241.52.0/24     local
0.0.0.0/0          igw-01fd2dbb6bee81525

RDS Security group:

CIDR/IP - Inbound   33.140.253.74/32
CIDR/IP - Inbound   11.234.52.0/24
CIDR/IP - Inbound   11.241.52.0/24
CIDR/IP - Outbound  0.0.0.0/0

Update 2

RDS Security group rules

Inbound:

MYSQL/Aurora   TCP   3306   33.140.253.74/32
MYSQL/Aurora   TCP   3306   11.234.52.0/24
MYSQL/Aurora   TCP   3306   11.241.52.0/24

Outbound:

All traffic    All   All    0.0.0.0/0
snn
  • 405
  • 5
  • 15

1 Answers1

1

is the RDS instance in the same subnet with EC2 A ? if not , please provide the routing table for the RDS subnet ( usually private subnet ).

An RDS has a subnet group, a subnet group has at least 2 subnets, please check the route tables for all subnets involved.

Please check the VPC security group for RDS , if possible copy here ( hash public IP's or other private info ). RDS has 2 security groups, check the one configured in your RDS as VPC security group.

Update 2 : Thank you , the route tables look good. I don't see any issues !

Please add the VPC security group rules from here ( red rectangle) : enter image description here

click on the link and copy the inbound and outbound rules , thank you !

detzu
  • 701
  • 6
  • 12
  • not sure about the 52 and 53 networks , sometimes are in the routing tables sometimes not . Please use in every routing table and security group 11.234.52.0\23 instead of 11.234.52.0\24 and 11.234.53.0\24 . This will make everything clear . After the change please check , and if it's not working please update the tables here. Check if the tunnel is still working . Thank you ! – detzu Mar 03 '19 at 23:29
  • Thank you. this ended up working. Also turned on DNS resolution on `VPC B`. Which may have helped. appreciate all the support – snn Mar 04 '19 at 16:27
  • great! I'm happy I could help ! – detzu Mar 04 '19 at 18:18