I have an ElasticBeanstalk application that uses Docker to run a small Laravel PHP API.
The app cannot connect to MySQL when running in ElasticBeanstalk.
The MySQL DB is a publically available AWS RDS instance.
I've run my Docker container locally and the app can connect just fine.
When I deploy to ElasticBeanstalk the app cannot connect...
Can anyone point me in a direction to help debug this?
SOLUTION
For anyone else who stumbles on this:
The solution was to create a new security group for both the EC2 instances and the RDS database. The two security groups opened up access via port 3306 for the instances and the database.
I also ensured the EC2 instances were available across every subnet and in the same VPC as my database.
Taken from the answers below and bit of help from a SysOps friend of mine.
You may want to check the EC2 Security Group Rules attached to Elastic Beanstalk to allow TCP at port 3306 for MYSQL type.
High chance that your ec2 instance does not have a public ip assigned to it. If you're trying to connect to the public IP of RDS without a public ip on the ec2 instance you won't be able to.
The ec2 instance will either need a public ip or it will need to have external internet connectivity through NAT.
Related
I see a lot of articles online where EC2 is involved, but since my backend is essentially serverless I have not found much information how to access my RDS once it is turned private. Can anyone point me in the right direction?
Current state:
Public MySQL RDS
RDS is accessed by a MySQL client on my local machine (MySQL Workbench) and AWS Lambda functions via my web application (both connecting via SSL)
Future state:
Private MySQL RDS
Private RDS would continue to be accessed by only my local machine and only the noted AWS Lambda functions via my web application (I assume continuing to use SSL?)
In your scenario your Lambda functions will need to be configured to run in the VPC if they are not already. That is the only change required for the Lambda functions.
However, When you switch the RDS instance to private, that means it only accepts connections from within the VPC. So you can't make connections directly from your local computer to the database anymore. You have to go through some sort of "bridge" to get your local computer into the AWS VPC network.
In this scenario people either use an EC2 instance as a bastion host, or they create a VPN connection from their local computer into the AWS VPC. AWS Client VPN is a managed service you could used for this.
You'll need to evaluate the Client VPN pricing, but I think you may find that a single t4g.nano EC2 bastion host is probably cheaper, and you can also stop the instance when you don't need it to really cut down the cost.
You can use VPC also with Lambda. Lambda and RDS can be in the same VPC, or in separate VPC’s peered together. Aws documentation for this scenario can be found here: https://aws.amazon.com/premiumsupport/knowledge-center/connect-lambda-to-an-rds-instance/
You can use Basti, which is a CLI tool that manages the EC2 bastion instance for you. The tool keeps the instance stopped when it's not used to minimize the solution cost, performs software updates to maintain the bastion instance secure, and provides a convenient CLI that can be used locally and in CI/CD pipelines.
I currently have a python script running on an EC2 linux instance. I'm rotating proxies in this instance with NordVPN. However, I must also be able to connect to an RDS Mysql database.
Because I'm constantly rotating proxies the script is unable to connect to the database as the new ip address is not a part of the VPC security group associated with the database. What should I do now ? Does the python script need to update the VPC security group every time it is using a new proxy ? Or is there a more elegant way of solving this ?
Thanks
I have an application running on EC2 instances that store data in an RDS instance. All of these instances are in an AWS VPC with security groups configured to allow them to connect to each other.
For reporting purposes, I would like to connect to the RDS instance from my laptop (e.g. using SQLAlchemy) to run simple queries. Every time I try to connect using the connection string that the EC2 apps use, the connection times out.
For Google, one can use the Cloud SQL proxy for this, but I can't find an analogous product for AWS. Instead, it seems like what I am supposed to do is attach an internet gateway to the VPC and configure the security groups to allow connection from my machine. However, the documents are unclear on how to do this other than allowing all inbound connections or allowing a static IP. Unfortunately my laptop doesn't have a static IP, and I'm uncomfortable allowing all inbound connections as it seems insecure and an invitation to attacks. I also have not been able to find a way to configure a security group to allow connections based on IAM credentials for example using the AWS CLI. Since I will be routinely generating reports, a solution that involves updating a security group (i.e. allowing my current IP) every time I want to connect seems suboptimal.
I have tried following the following documents, but so far have had no success in finding a solution that does not allow all connections:
Allow users to connect to RDS using IAM*
Connecting to RDS instance from command line
Connecting to RDS on VPC from internet
*My RDS instance configuration does not allow me to enable IAM authentication, I'm not sure why
IAM Database Authentication is not supported for the configuration in the DB Instance db.
Modify your Db Instance to another instance class and try again.
(Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterCombination;
Request ID: a6194fb8-2ab9-4a6a-a2be-63835e6e0184)
Is there something I'm not understanding or overlooking? Is allowing connections from all IPs not a big deal since the DB instance is still secured by DB user credentials?
Select this connection as per screenshot. Then fill up all details use your nat instance .pem file to connect. Its like you are connecting to VPC through Nat gateway or Internet gateway bypassing this.
Another option to install VPN on VPC and connect.
I have a Linux elastic beanstalk app running on aws. I need to figure out what folders the apps are installed in order to create a cronjob correctly.
Is it possible to open a terminal to ebs server?
Yes it is possible. To SSH to the Elastic Beanstalk Instance, you will need to use the EC2 key pairs and configure the Security Groups allowing SSH access from the client.
If you place the server in a private subnet, you might need to create a Bastion Host in a public subnet within the same VPC. Then you can SSH to the Bastion host and SSH to your sever from there.
Is it possible to do the following?:
I have a local Mac running OS X Lion with a MySQL Server installed which runs different processes regularly and stores data into a local DB.
On the other hand I have an Amazon EC2 instance.
What I would like to do is to use the Amazon instance to perform certain cronjobs (using its own resources) but connecting to the data that is on my localhost (my computer) and performing basic SQL actions like updating the data, inserting, etc.
I don't know if this helps, but I have a static IP. Is there any way I can "open" my IP so the Amazon instance can recognize my home computer as a valid MySQL server?
Thanks for your help, any tip in the right direction will be much appreciated.
If your EC2 instance is connecting to your local db you'll need a static IP locally. Well not need... but if you don't have it anytime you reset your router or loose power etc your ip will change. You can look into Dynamic DNS as well for your local instance.
Your ISP will not block your port on your local instance. This would be a firewall inside your network that is preventing you from connecting to mysql or a configuration with mysql itself. Users can only connect to mysql from certain IP addresses.
You would have to open up the mysql port on your firewall if you are using one, have the mysql client installed on your EC2 instance, and make sure that the user that had proper grantable permissions.
That said why not run cron locally on the mac?
If you can login to your server via SSH then there's no need to open any other port and no static IP is required. You can use SSH port forwarding instead. From your local machine run:
ssh -C -R 5555:127.0.0.1:3306 <your-server-host>
Now you should be able to connect to your Mac's database running on localhost:3306 from the remote server at localhost:5555.