- Newest
- Most votes
- Most comments
Hi Again,
Greetings from AWS team.
As checked with Amplify team,
Amplify Next.js Classic SSR, the API routes are powered by L@E functions so there is no scope for configuring the same in VPC. Recently there is launch of Amplify Hosting Compute even that does not have VPC configuration. So what you are looking for is currently not supported, RDS needs to be open to public. However we do not recommend making the DB public as it does not seem secure. As a workaround, you may spin up an Amplify Backend to provision a Rest API + Lambda(VPC) that interacts with their RDS.
You may raise ticket with AWS team for support.
Thankyou!
Hello from AWS,
Thanks for posting this query, I can understand that you need support to connect to RDS instance from your next js application.
You can have an external Restful API that interacts with RDS, and your Next JS application then interacts with the API.
Connecting to RDS instance \ Aurora :
Step 1 : Build RDS instance and gather connection string information. The connection information for a DB instance includes its endpoint, port, and a valid database user, such as the master user.
Step 2 : Configuring VPC and security groups
Using Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources, such as Amazon RDS DB instances, into a virtual private cloud (VPC). When you use Amazon VPC, you have control over your virtual networking environment. You can choose your own IP address range, create subnets, and configure routing and access control lists.
A VPC security group controls access to DB instances inside a VPC. Each VPC security group rule enables a specific source to access a DB instance in a VPC that is associated with that VPC security group. The source can be a range of addresses (for example,172.160.0.0/24), or another VPC security group. By specifying a VPC security group as the source, you allow incoming traffic from all instances (typically application servers) that use the source VPC security group.
VPC security groups provide access to DB instances in a VPC. They act as a firewall for the associated DB instance, controlling both inbound and outbound traffic at the DB instance level. DB instances are created by default with a firewall and a default security group that protect the DB instance.
Before you can connect to your DB instance, you must add rules to a security group that enable you to connect. Use your network and configuration information to create rules to allow access to your DB instance.
For example, suppose that you have an application that accesses a database on your DB instance in a VPC. In this case, you must add a custom TCP rule that specifies the port range and IP addresses that your application uses to access the database.
For more information regarding your environment, you may raise a ticket with AWS support team.
For more information check below links,
[1] https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create-deploy-nodejs.rds.html#nodejs-rds-connect [2] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Troubleshooting.html [3] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_Troubleshooting.html [4] https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html [5] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_Troubleshooting.html#CHAP_Troubleshooting.Connecting
Yes, I do have a good handle on security groups. I just don't see any way within Amplify to configure them. I also don't see where I'd get an IP range to add to the RDS security group.
Hi,
Greetings from AWS support.
You may define inbound rules that use the IP addresses of the client application as the source. You may get public IP by checking the third party site, "what is my IP address". This is not provided by AWS so AWS does not hold any rights.
Once you get the IP range of all source host addresses, you may add the CIDR range in security group. The security group associated to RDS instance can be viewed on RDS console page,
- Select the RDS database instance
- Under connection and security > Security groups.
- select the associated security groups and add the required CIDR range.
For eg If I have 3 computers accessing the RDS of IP 172.168.1.1, 172.168.1.2 and 172.168.1.3, then I will add CIDR range in inbound rule of RDS security group as 172.168.1.0/28. This way I can have around 16 usable IP's in the range. For creating CIDR you may use https://cidr.xyz/ for more information. However this is third party website.
Also for checking if everything is fine, you may add source address as 0.0.0.0/0 in inbound rules. This will allow all traffic from all IP address range to connect to RDS database instance. This is NOT recommended by AWS however as its not security or risk compliant. This should be modified with your source application IP address only once its figured out.
Regarding the Amplify, I will check with Amplify team for more details. Meanwhile you may raise a ticket with AWS anytime for the support.
Thank you
Relevant content
- asked 10 months ago
- asked 20 days ago
- asked 4 months ago
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
Thanks for tracking down the answer, Vinit. This is disappointing since I'm not sure what do with a Nextjs API route that can't connect to a data store. If an IP range were available to add to an allow list it would be helpful.
Hi Nil,
You may raise a ticket with AWS support with amplify team for guidance on provisioning a REST API + lambda function that interacts with RDS database.
Let me know if there is any other query from your side. I deeply regret the inconvenience caused due to this issue.
Regards, Vinit