By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Public ECS to Private RDS

0

Hi everyone, I am currently implementing network change. I have created a new Private RDS DB Instance. I need to connect my ECS to this private RDS so my app could work as expected. Do you have any suggestions on how to proceed by using API GATEWAY or any other resources? I am very new to AWS. If you could possibly provide step by step process that would be a great help.

Will Appreciate everyone's insights. Thank you!

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliveryMigration & ModernizationAnalyticsDatabaseContainersSecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon Relational Database ServiceDatabaseAmazon Elastic Container ServiceIAM Policies
Language
English
code2go
asked 13 days ago177 views
1 Answer
0

Hello.

ECS itself does not need to be placed directly in a public subnet.
Since API Gateway will be added later, I think it is best to configure it so that it can be accessed via ALB.
You can access ECR using a VPC endpoint, but I think the setup is complicated for beginners, so I think it's best to set it up using a NAT Gateway first.
The configuration will be as follows.
a

Reference documents are below.
https://repost.aws/knowledge-center/ecs-fargate-tasks-private-subnet
https://repost.aws/knowledge-center/ecs-fargate-task-database-connection

First, set up a network such as VPC.
Although it is a little old, I think the following video will be helpful.
https://www.youtube.com/watch?v=43tIX7901Gs

Make sure "enableDnsHostnames" and "enableDnsSupport" are enabled after creating the VPC.
If this is not enabled, access to ECR and RDS will fail.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support

Next, create an ALB.
I think the following blog will be helpful when creating an ALB.
https://sakyasumedh.medium.com/setup-application-load-balancer-and-point-to-ecs-deploy-to-aws-ecs-fargate-with-load-balancer-4b5f6785e8f

Next, create RDS.
I think the following blog will be helpful for creating RDS.
https://sakyasumedh.medium.com/deploy-backend-application-to-aws-ecs-with-application-load-balancer-step-by-step-guide-part-1-91935ae93c51

Next, create ECR and ECS.
I think the following blog will be helpful for setting up ECR and ECS.
https://sakyasumedh.medium.com/deploy-backend-application-to-aws-ecs-with-application-load-balancer-step-by-step-guide-part-2-e81d4daf0a55
https://sakyasumedh.medium.com/deploy-backend-application-to-aws-ecs-with-application-load-balancer-step-by-step-guide-part-3-b8125ca27177

profile picture
EXPERT
Riku_Kobayashi
answered 13 days ago
  • code2go
    10 days ago

    Hi we have an existing ECS in Public Subnet and must not be moved to private subnet for now. Is this resolution still possible? Currently I have setup and EC2 as bastion host so I could connect to the Private RDS via SSH. The only thing left is how can I connect the app directly to the private RDS. Thank you for your help!

  • Riku_Kobayashi EXPERT
    10 days ago

    Even if ECS is deployed in a public subnet, you can connect if you configure the RDS security group's inbound rules to allow the ECS security group. https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing
    Specifically, you can connect by setting the following rules in the RDS security group.

    SourceProtocolPort range
    ECS security group IDMySQL3306

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content