- Newest
- Most votes
- Most comments
Hello.
I also gave a similar answer at the URL below.
https://repost.aws/ja/questions/QUOts4tKf-TmmtYPbBjrrQ9g/public-ecs-to-private-rds
Even if ECS is deployed in a public subnet, you can connect if you configure the RDS security group's inbound rules to allow the ECS security group.
https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing
Specifically, you can connect by setting the following rules in the RDS security group.
| Source | Protocol | Port range |
|---|---|---|
| ECS security group ID | MySQL | 3306 |
I think you can check the connection using the method in the document below.
https://repost.aws/knowledge-center/ecs-fargate-task-database-connection
Hi,
You probably want to follow this guidance to achieve a fully secure connection for your RDS:
Just replace EC2 by your ECS task
Best,
Didier
Hi Didier, appreciate your help. But our application was currently deployed on the ECS. We just setup a separate EC2 instance used as bastion host so we could connect via SSH with my private RDS. Currently I am stuck on how can I confirm the connection of our public ecs to the new private rds. Maybe you could share something that would be a great help
what if my RDS is placed on the new VPC and the existing ECS were on the default VPC. We have built a tf script for this. Is ot possible if I just replaced the VPC name value under the ECS on my terraform script so both resources lies on the same VPC?
If your VPCs are different, set up VPC peering.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-peering.html
Additionally, if you perform VPC peering, you can refer to security groups in both directions.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html
I'm not sure what the TF script you created looks like, but I think changing the VPC name will change the VPC that ECS starts with, but the settings may be different from the default VPC.
In other words, there is a possibility that ECS will not start properly, so please be careful when changing it.
Hello
Please see Using a private subnet and NAT gateway
Hope it helps and if it does, I would appreciate if answer can be accepted so that community can benefit for clarity when searching for similar enquiries in repost/aws guide..
Hi there, I already configured NAT Gateway. Do I need other AWS resources to connect my public ECS to my Private RDS? Should I use an API Gateway?
A NAT Gateway is not required to connect public ECS to private RDS. If ECS and RDS are running in the same VPC, there is no need to create other resources.
Hi Riku, what if my RDS is placed on the new VPC and the existing ECS were on the default VPC. We have built a tf script for this. Is ot possible if I just replaced the VPC name value under the ECS on my terraform script so both resources lies on the same VPC?
Relevant content
- asked 14 days ago
- asked 9 months ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Hi Riku, I have configured it already. Will check the documentation for the testing thank you!
Please follow the steps in the document below to create an ECS task and check if you can connect using the same security group. https://repost.aws/knowledge-center/ecs-fargate-task-database-connection
Hi Riku, I have viewed this documentation before. Is there other way without deploying files on the ECR?
You only need to be able to check the security group settings, so you can check the connection by creating EC2 with the same security group as ECS in the same subnet as ECS. If you can access it from the MySQL client installed on EC2, you can confirm that the security group settings are correct.