Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS Client VPN connection problem with RDS in same VPC

0

Is there a specific setting for any of the following (subnet, security group, client VPN endpoint) that I should be aware of, when I want to connect to RDS DB? I have an AWS Client VPC with enabled Client VPN endpoint. I can connect to the VPN using VPN client, and I also have an internet working just fine. But somehow when I try to access RDS, connection times out. RDS is located in a subnet group of all 4 subnets (public and private in region-X and region-Y.

Themen
Vernetzung & Bereitstellung von Inhalten
Tags
AWS-Client-VPN
Sprache
English
Joon
gefragt vor einem Monat123 Aufrufe
1 Antwort
1

Hello.

What are the inbound rules of the RDS security group?
For example, does the security group allow connections from the VPN client endpoint's security group?
Also, when you resolve the name of an RDS endpoint using the "dig" command, will an IP address be returned from the VPC CIDR range?
If public access is enabled on RDS, a public IP address will be returned, so even if communication is via VPN, it may not be possible to connect depending on the AWS configuration.

profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor einem Monat
profile picture
EXPERTE
Oleksii Bebych
überprüft vor einem Monat
  • Riku_Kobayashi EXPERTE
    vor einem Monat

    Also, if RDS is in multiple VPCs, you will need to set up something like a Transit Gateway to be able to communicate with multiple VPCs. I think the following AWS blog will be helpful for AWS VPC configuration. https://aws.amazon.com/jp/blogs/networking-and-content-delivery/using-aws-client-vpn-to-scale-your-work-from-home-capacity/

  • Joon
    vor einem Monat

    Thank you for your answer.

    • Inbound rules of my RDS is allowed to receive all traffic from a security group called "A" (source, with all protocol and types). Client VPN endpoint is associated with "A" security group, and "A" security group is permitted for all traffic from default VPC security group.

    Client VPN endpoint -> Security Group Associated with: A, Inbound Rule Source, Type, Protocol: default VPC sg, All, All RDS Instance -> Security Group Associated with: B, Inbound Rule Source, Type, Protocol: A, All, All

    • "dig" command returns the IP address within VPC CIDR range:

    ;; ANSWER SECTION: xxxxxx.abcdefghijk.us-west-1.rds.amazonaws.com. 5 IN A 10.0.X.XX

    • Public access is set to No for my RDS instance. I actually tested out by setting it to Yes and "dig" command did return a public IP address. I've also tried to query a table within the DB instance, and mysql connection timed out just like you said. Normally when I set a DB instance to public, mysql connection is established but not this case. Can you assume what AWS configuration is prohibiting the connections?

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt