Why are NACLs required for an RDS Proxy in the same subnet as the RDS db?

Question

Hi!

I was able to resolve my issue, but I was wondering about this unexpected behavior.

So I set up an Aurora Postgres Serverless v2 database cluster and added an RDS Proxy in the same subnet (let's call this the "database subnet"). The connection between those two did not work with the NACL I had configured at the time, which allow inbound traffic from another subnet on port 5432 and outbound traffic back to the same subnet on the ephemeral ports (1024-65535).

To make the RDS Proxy work, I had to also add NACL rules that allowed inbound and outbound traffic to and from the database subnet on the ephemeral ports. I also verified that the traffic does not leave the VPC by adding the NACL rules for my vpc CIDR.
The question now is - why? Aren't NACLs only applied for traffic that goes in and out of the subnet?

Riku_Kobayashi · Accepted Answer

Hello.

Is it possible that Aurora Serverless has a multi-AZ configuration and the subnet where RDS Proxy is running is different from the subnet where Aurora Serverless's primary is running?  
RDS Proxy always connects to the primary instance, so if the primary instance is in a different subnet, communication may become impossible due to network ACLs.  
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-endpoints.html

In other words, please check to see if you are in a state like the image below.  
![a](/media/postImages/original/IMu00VkzN3RjShGhKVs55gYw)

Why are NACLs required for an RDS Proxy in the same subnet as the RDS db?

回答を追加する

関連するコンテンツ