My ECS tasks (VPC A) can't connect to my RDS (VPC B) even though the VPCs are peered and networking is configured correctly
Hi, As mentioned in the question, my ECS tasks cannot connect to my RDS. The ECS tasks try to resolve the rds by name, and it resolves to the RDS public IP (RDS has public and private IPs). However, the security group on RDS doesn't allow open access from all IPs so the connection fails. I temporarily allowed all connections and could see that the ECS tasks are routing through the open internet to access the RDS.
Reachability Analyzer checking specific tasks' Elastic Network Interface to the RDI ENI is successful, using internal routing through the peering connection.
At the same time I have another server on VPC C that can connect to the RDS. All the config is similar between these two apps, including the peering connection, security group policies and routing tables. Any help is appreciated
Here are some details about the VPCs
Peering Connection 1 between A and B Peering Connection 2 between C and B
Route table for VPC A: 184.108.40.206/16 : Peering Connection 1 220.127.116.11/16: Local 0.0.0.0/0: Internet Gateway
Route table for VPC C: 18.104.22.168/16: Peering Connection 2 22.214.171.124/16: Local 0.0.0.0/0: Internet Gateway
Security groups allow traffic to RDS: Ingress: 126.96.36.199/16: Allow DB Port 188.8.131.52/16: Allow DB Port Egress: 0.0.0.0/0: Allow all ports
When I add the rule: 0.0.0.0/0 Allow DB Port to the RDS, then ECS can connect to my RDS through its public IP.
The issue seems to be because of this - "The ECS tasks try to resolve the rds by name, and it resolves to the RDS public IP (RDS has public and private IPs)"
Refer below section in link
To ensure that queries from the peer VPC resolve to private IP addresses in your local VPC, choose the option to enable DNS resolution for queries from the peer VPC. This option is Requester DNS resolution or Accepter DNS resolution, depending on whether the VPC is the requester or accepter VPC.
Refer below section in link
You can resolve the public domain name to the private IP address of the EC2 instance. To do this, turn on one of the following options on the VPC peering connection:
- Requester DNS resolution -or-
- Accepter DNS resolution
After turning on DNS resolution, you can resolve the public DNS to the private IP address of the instance
Thanks for that! That solved the issue.
QuickSight Unable to Connect to RDS(postgres)asked a month ago
ECS tasks in a Cluster, not linking between them.asked 2 months ago
How do we correctly link the DC Gateway into the VPC, is a VG required?Accepted Answerasked 9 months ago
Issues connecting to Postgres RDS instance from within a VPCasked 3 years ago
App Runner service cannot access Internet when added to a VPCasked 2 months ago
How to access OpenSearch from few different VPCs?asked 4 months ago
Sending UDP traffic to EC2 host from ECS instance, security group issue on EC2 hostasked 2 months ago
Can't connect to an RDS Instance from Lambda (different account tough)asked 2 years ago
My ECS tasks (VPC A) can't connect to my RDS (VPC B) even though the VPCs are peered and networking is configured correctlyasked 17 days ago
How to connect Codebuild to RDS database?asked 11 days ago