By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

My ECS tasks (VPC A) can't connect to my RDS (VPC B) even though the VPCs are peered and networking is configured correctly

2

Hi, As mentioned in the question, my ECS tasks cannot connect to my RDS. The ECS tasks try to resolve the rds by name, and it resolves to the RDS public IP (RDS has public and private IPs). However, the security group on RDS doesn't allow open access from all IPs so the connection fails. I temporarily allowed all connections and could see that the ECS tasks are routing through the open internet to access the RDS.

Reachability Analyzer checking specific tasks' Elastic Network Interface to the RDI ENI is successful, using internal routing through the peering connection.

At the same time I have another server on VPC C that can connect to the RDS. All the config is similar between these two apps, including the peering connection, security group policies and routing tables. Any help is appreciated

Here are some details about the VPCs

VPC A - 15.2.0.0/16 [three subnets] VPC B - 111.30.0.0/16 [three subnets] VPC C - 15.0.0.0/16 [three subnets]

Peering Connection 1 between A and B Peering Connection 2 between C and B

Route table for VPC A: 111.30.0.0/16 : Peering Connection 1 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway

Route table for VPC C: 111.30.0.0/16: Peering Connection 2 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway

Security groups allow traffic to RDS: Ingress: 15.0.0.0/16: Allow DB Port 15.2.0.0/16: Allow DB Port Egress: 0.0.0.0/0: Allow all ports

When I add the rule: 0.0.0.0/0 Allow DB Port to the RDS, then ECS can connect to my RDS through its public IP.

Topics
Networking & Content DeliveryDatabaseContainers
Tags
Amazon VPCPostgreSQLNetworking & Content DeliveryAmazon Elastic Container Service
Language
English
ManavDa
asked 2 years ago1026 views
1 Answer
2

The issue seems to be because of this - "The ECS tasks try to resolve the rds by name, and it resolves to the RDS public IP (RDS has public and private IPs)"

Refer below section in link

To ensure that queries from the peer VPC resolve to private IP addresses in your local VPC, choose the option to enable DNS resolution for queries from the peer VPC. This option is Requester DNS resolution or Accepter DNS resolution, depending on whether the VPC is the requester or accepter VPC.

Refer below section in link

You can resolve the public domain name to the private IP address of the EC2 instance. To do this, turn on one of the following options on the VPC peering connection:

  • Requester DNS resolution -or-
  • Accepter DNS resolution

After turning on DNS resolution, you can resolve the public DNS to the private IP address of the instance

profile pictureAWS
EXPERT
Tushar_J
answered 2 years ago
profile pictureAWS
EXPERT
Brettski-AWS
reviewed 2 years ago
  • ManavDa
    2 years ago

    Thanks for that! That solved the issue.

  • Tushar_J EXPERT
    a year ago

    Hi, If the Answer was helpful, please click 'Mark as answered', this can be beneficial to other community members.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content