AWS Client VPN connection problem with RDS in same VPC

Is there a specific setting for any of the following (subnet, security group, client VPN endpoint) that I should be aware of, when I want to connect to RDS DB? I have an AWS Client VPC with enabled Client VPN endpoint. I can connect to the VPN using VPN client, and I also have an internet working just fine. But somehow when I try to access RDS, connection times out. RDS is located in a subnet group of all 4 subnets (public and private in region-X and region-Y.

Topics

Networking & Content Delivery

Tags

AWS Client VPN

Language

English

Joon

asked 19 days ago101 views

1 Answer

Newest
Most votes
Most comments

Hello.

What are the inbound rules of the RDS security group?
For example, does the security group allow connections from the VPN client endpoint's security group?
Also, when you resolve the name of an RDS endpoint using the "dig" command, will an IP address be returned from the VPC CIDR range?
If public access is enabled on RDS, a public IP address will be returned, so even if communication is via VPN, it may not be possible to connect depending on the AWS configuration.

EXPERT

Riku_Kobayashi

answered 19 days ago

EXPERT

Oleksii Bebych

reviewed 19 days ago

Riku_Kobayashi EXPERT
19 days ago
Also, if RDS is in multiple VPCs, you will need to set up something like a Transit Gateway to be able to communicate with multiple VPCs. I think the following AWS blog will be helpful for AWS VPC configuration. https://aws.amazon.com/jp/blogs/networking-and-content-delivery/using-aws-client-vpn-to-scale-your-work-from-home-capacity/
Joon
18 days ago
Thank you for your answer.

Inbound rules of my RDS is allowed to receive all traffic from a security group called "A" (source, with all protocol and types). Client VPN endpoint is associated with "A" security group, and "A" security group is permitted for all traffic from default VPC security group.

Client VPN endpoint -> Security Group Associated with: A, Inbound Rule Source, Type, Protocol: default VPC sg, All, All RDS Instance -> Security Group Associated with: B, Inbound Rule Source, Type, Protocol: A, All, All

"dig" command returns the IP address within VPC CIDR range:

;; ANSWER SECTION: xxxxxx.abcdefghijk.us-west-1.rds.amazonaws.com. 5 IN A 10.0.X.XX

Public access is set to No for my RDS instance. I actually tested out by setting it to Yes and "dig" command did return a public IP address. I've also tried to query a table within the DB instance, and mysql connection timed out just like you said. Normally when I set a DB instance to public, mysql connection is established but not this case. Can you assume what AWS configuration is prohibiting the connections?

Relevant content

Client VPN Security Groups rule for Client CIDR
rePost-User-7852577
asked 2 years ago
Cannot resolve host of RDS endpoint in private subnet via VPN client endpoint
Noah
asked a year ago
Seeking Guidance on AWS Client VPN Endpoint Connectivity to VPC Subnets
Hoseok Han
asked 8 months ago
Problem Setting up EC2 as Airgap Server with Client VPN Endpoint
DrTeflonGB
asked 2 years ago
How do I associate a target network with a Client VPN endpoint?
AWS OFFICIALUpdated 9 months ago
How can I configure multiple users to use the same Client VPN endpoint?
AWS OFFICIALUpdated 2 years ago
How can I revoke access to a Client VPN endpoint for a specific client?
AWS OFFICIALUpdated 8 months ago
How do I delete or terminate a Client VPN endpoint or connection on AWS Client VPN?
AWS OFFICIALUpdated 2 years ago
Usage of Security Group associated with AWS Client VPN
EXPERT
Karthikiran Ilango
published 6 months ago
AWS Client VPN connection and traffic flow handling simplified
EXPERT
Karthikiran Ilango
published 6 months ago