"Spring Boot Application Fails to Start After Switching RDS to Private: Unsatisfied Dependency and EntityManager Issues"

0

I want to change my RDS instance from being publicly accessible to privately accessible, so I configured it to use a VPC and made the necessary changes to both the RDS configuration and App Runner's outgoing traffic settings. However, when I deployed these changes, the deployment rolled back. I checked CloudWatch for errors and found the following:

2024-08-13T06:07:48,593 [] ERROR [main] org.springframework.boot.web.embedded.tomcat.TomcatStarter: Error starting Tomcat context. Exception: org.springframework.beans.factory.UnsatisfiedDependencyException. Message: Error creating bean with name 'jwtJiraAuthenticationFilter': Unsatisfied dependency expressed through method 'jwtJiraAuthenticationFilter' parameter 0: Error creating bean with name 'serviceConnectionManager': Unsatisfied dependency expressed through constructor parameter 0: Error creating bean with name 'serviceConnectionRepository': Cannot resolve reference to bean 'jpaSharedEM_entityManagerFactory' while setting bean property 'entityManager'

Can someone help me understand what might be causing this error after making my RDS private and deploying the changes?

It works perfectly when my RDS is publicly accessible, and I configure App Runner for both incoming and outgoing traffic as public access. What could be the issue?

RDS cofiguration

Security groups setting in RDS

Security groups setting In app runner

2 Answers
0

Hello.

It's difficult to judge based on this error message alone, but is AppRunner's VPC connector deployed in the same subnet as the RDS subnet?
https://docs.aws.amazon.com/apprunner/latest/dg/network-vpc.html

Also, do you allow access from the security group configured in AppRunner's VPC connector in the RDS security group?
I think that the "jwtJiraAuthenticationFilter" part in the error message indicates that some sort of authentication process is being implemented, but is this accessing an external API?
If the authentication uses an external API, try creating a NAT Gateway in the VPC connected with the VPC connector and setting it so that AppRunner can route to the public internet via the NAT Gateway.
https://aws.amazon.com/jp/blogs/aws/new-for-app-runner-vpc-support/
https://docs.aws.amazon.com/apprunner/latest/dg/network-vpc.html#network-vpc.subnet

When you connect your service to a VPC, the outbound traffic doesn't have access to the public internet. All outbound traffic from your application is directed through the VPC that your service is connected to. All networking rules for the VPC apply to the outbound traffic of your application. This means that your services can't access the public internet and AWS APIs. To gain access, do one of the following:
Connect the subnets to the internet through a NAT Gateway.

profile picture
EXPERT
answered 2 months ago
  • I configured the incoming traffic of App Runner as public and the outgoing traffic to use a VPC, security groups, and subnets. In RDS, I used the same VPC, subnets, and security groups for inbound traffic and set outbound traffic as public. What could be the issue? Should I connect to a NAT gateway, and if so, how can I do that?

  • Do you understand what "jwtJiraAuthenticationFilter" is? Do you know where your application is authenticating? Judging from the error message, I think this error is caused by a failure to authenticate to the external JWT, not a connection to RDS. To use NAT Gateway, please create the configuration introduced in the following document. Please configure the subnet to which the VPC connector is connected in the route table so that it can be routed to the NAT Gateway. https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html

  • I have also tried using a NAT Gateway, but my App Runner's service status still shows "Rollback succeeded" instead of "Succeeded," and the same error I mentioned above is occurring.

  • Hmm, have you set a route to the NAT Gateway in the route table of the subnet to which AppRunner VPC connector is connected? Also, could you please share your RDS security group settings and AppRunner security group settings?

  • Yes, I have already set a route to the NAT Gateway in the route table of the subnet to which the App Runner VPC connector is connected.

    Additionally, I've updated my question with snapshots of the security group settings for both RDS and App Runner. Please review the attached images to see the configurations. Let me know if there’s anything that needs to be adjusted or if you have any further suggestions.

0

Possible Causes and Solutions: RDS Connectivity Issue:

When you switch your RDS instance to be privately accessible, it is no longer reachable from the public internet. Your application must be running in the same VPC or have network access to the VPC where your RDS instance is located.

Solution: Ensure that your Spring Boot application is running in an environment that can connect to the private RDS instance. If you are using App Runner or another AWS service to deploy your application, ensure that it is configured to use the same VPC or a VPC that has connectivity to the RDS instance, either through VPC peering, Transit Gateway, or a VPN connection.

Security Group Configuration:

The security group attached to your RDS instance might be restricting traffic from your application. If your application is not allowed to connect to the RDS instance due to security group rules, it will result in connection failures.

Solution: Update the security group associated with your RDS instance to allow inbound traffic from the IP range or security group associated with your application.

Database Connection Settings:

Your application's database connection settings (e.g., JDBC URL, username, password) need to be updated to match the new private configuration of the RDS instance.

Solution: Check your application's configuration file (e.g., application.properties or application.yml) to ensure the database connection URL is correctly pointing to the private RDS endpoint. Also, make sure that your database username and password are correctly configured.

Network ACLs or Route Tables:

If there are network ACLs or route table configurations in your VPC that prevent traffic from reaching the RDS instance, this could also cause the issue. Solution: Verify that your VPC's route tables and network ACLs are configured correctly to allow traffic between your application and the RDS instance.

AWS IAM Role/Policy Issue:

If your application is using an IAM role to access the database and the role does not have the necessary permissions, you might encounter this issue. Solution: Ensure that the IAM role associated with your application has the necessary permissions to access the RDS instance.

Debugging Steps:

Check VPC Configuration: Verify that the VPC and subnet settings for both your RDS instance and application are correct. Ensure they are in the same VPC or that there's proper connectivity between VPCs.

Test Connectivity: From within the environment where your application is running, try to connect to the RDS instance using a database client (e.g., mysql, psql) to ensure network connectivity.

Update Application Logs: Add more logging in your application, particularly around the database connection setup, to capture more detailed error messages.

By following these steps, you should be able to identify and resolve the issue caus

EXPERT
answered 2 months ago
  • But it works perfectly when my RDS is publicly accessible, and I configure App Runner for both incoming and outgoing traffic as public access. What could be the issue?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions