Connect to private RDS from ECS cluster in different VPC

0

Due to an infrastructure change, I would like to establish a connection from the ECS cluster in VPC1 with CIDR 10.30.0.0/16 to an existing private RDS cluster in VPC 2 with CIDR 10.60.10.0/24. How can I make this possible using AWS resources? My idea was to allow the security group in the RDS access from 10.30.0.0/16, but I think that's not all? My application from VPC1 has to read and write the data.

asked 2 months ago63 views
2 Answers
0

Hello.

To communicate between different VPCs, you need to set up VPC peering or set up TransitGateway.
In this case, since the number of VPCs is small, I think it would be a good idea to set up VPC peering.
You can communicate by setting up VPC peering using the steps in the document below and setting routes to each other's VPCs in the subnet route table within each VPC.
In other words, you need to add a route destined for VPC-2 in the route table for VPC-1, and a route destined for VPC-1 in the route table for VPC-2.   https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html

Also, although it is possible to allow VPC CIDR in the RDS security group, it is also possible to refer to the security group, so it is possible to further narrow down the communication.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
0

To enable communication from your ECS cluster in VPC1 (CIDR: 10.30.0.0/16) to your RDS cluster in VPC2 (CIDR: 10.60.10.0/24), follow these steps:

1. VPC Peering or Transit Gateway:

  • Set up a VPC peering connection between VPC1 and VPC2 or use an AWS Transit Gateway.

  • Update route tables in both VPCs to route traffic between them through the peering connection or Transit Gateway.

  • VPC Peering Guide: VPC Peering Documentation

  • Transit Gateway Guide: AWS Transit Gateway Documentation

2. Security Group Configuration:

  • Allow inbound traffic from VPC1 (CIDR: 10.30.0.0/16) to your RDS instance security group on the appropriate database port (e.g., port 3306 for MySQL, 5432 for PostgreSQL).
  • Ensure the ECS task security group allows outbound traffic to RDS.

3. Route Table Updates:

  • In VPC1, update the route table to route traffic destined for 10.60.10.0/24 (RDS) through the peering or Transit Gateway.
  • In VPC2, update the route table to route traffic destined for 10.30.0.0/16 (ECS) similarly.

4. Network ACLs:

  • Ensure network ACLs in both VPCs allow traffic between them.

5. Test the Connection:

After configuring, test the ECS application to ensure it can connect to and interact with the RDS instance.

By following these steps, your ECS application should be able to read/write data to the RDS instance in VPC2.

Let me know if you need more details!

profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions