By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Accessing RDS instance in peered VPC through VPN

0

I have a VPN server deployed on VPC 1 which is peered to VPC 2 on which there is an RDS instance deployed on private subnets. Routes have been added in the route table of each vpc to route from each VPC CIDR to the peering connection and the RDS security group allows connections from VPC 2 however I cannot connect to the RDS instance when I am on the VPN. There is a documentdb instance deployed on VPC 3 which is also peered to VPC 1 and I can connect to that whilst on the VPN. Can someone explain what i'm missing to connect to the RDS instance if it should be possible to connect in this way (and if not possible why this does work for documentdb)

Update I tried launching an instance in VPC1 with the same security group as the VPN server and I can connect to the database from that so it must be an issue relating to the VPN server setup specifically

4 Answers
1

Hello.

Is it my understanding that RDS in VPC2 cannot be accessed from VPC1 via VPN?
It seems that the RDS security group allows connections from the CIDR of VPC2, but I thought that if I was connecting from VPC1, I might need to allow the CIDR of VPC1.

Routes have been added in the route table of each vpc to route from each VPC CIDR to the peering connection and the RDS security group allows connections from VPC 2 however I cannot connect to the RDS instance when I am on the VPN.

profile picture
EXPERT
answered 17 days ago
profile picture
EXPERT
reviewed 17 days ago
  • Thanks but the rds security group already allows connections from the vpn instance security group

  • In the case of VPN, I think you will not be able to connect even if you refer to the security group of the VPN instance in the RDS security group. So please try allowing CIDR and see if you can connect.

  • Thanks - I have tried also adding the VPC1 CIDR to the allowed input of the RDS security group but unfortunately I am still unable to connect

1

To successfully connect to the RDS instance in VPC 2 from VPC 1 via the VPN server in VPC 1, here are some considerations:

  1. The VPN server that you are connected to should NAT the IP address of the clients connecting to the VPN server to its own private IP address. This is required as VPC peering doesn't support transitive routing.
  2. The security group of the RDS should either allow traffic/connections from the VPN server's private IP/security group or VPC 1's CIDR.
  3. On the VPN Server, make sure you have a route for the CIDR of VPC 2 pointing to the gateway address (first address of the subnet of the VPN server). This will ensure that VPC route table is referenced when the traffic is being forwarded to VPC 2 via the peering connection.
profile pictureAWS
answered 17 days ago
profile picture
EXPERT
reviewed 17 days ago
  • Thanks for your help. I can confirm that 1 & 2 are in place. Re point 3, I have a route in the route table for the VPN VPC for VPC2 CIDR pointing at the peering connection between VPC 1 & 2. Is this what you mean or should there be an additional route for the VPC 2 CIDR?

  • Point 3 refers to routing within the VPN server and not the VPC route route table where you define the peering routes. VPN server internally should be able to forward the traffic received from the client & destined for VPC 2 CIDR to the gateway address.

    Additionally, I assume that the Source/destination check network interface attribute for the VPN server is disabled as you have mentioned earlier that a similar setup works while connecting to a documentDB in VPC 3.

    You can enable VPC flow logs in VPC 1 and VPC 2 to troubleshoot further or open a support case with our Support team to help with the troubleshooting.

1

Also ensure you have created the routes on your VPN so that your client knows how to get to VPC 2

profile picture
EXPERT
answered 17 days ago
profile picture
EXPERT
reviewed 16 days ago
0

The problem in my case was a specific setting on the VPN server accessed through the UI which required a list of private subnets - I needed to add the CIDR of VPC2 and restart the server for this to take affect. Thanks all for your help

answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions