https://pulumi.com logo
Powered by
Title
p

powerful-furniture-83753

04/21/2021, 12:12 PM
Hey folks. I'm having some issues trying to access an aurora postgres instance from outside of my VPC (ie, my local machine). The ECS cluster i have running in the VPC can access it without issue. I've got the following setup: 
const vpc = new awsx.ec2.Vpc(`vpc`, {});

const rdsSecurityGroup = new aws.ec2.SecurityGroup(`sg`, {
  vpcId: vpc.id,
  ingress: [
    {
      protocol: "tcp",
      fromPort: 5432,
      toPort: 5432,
      cidrBlocks: [vpc.vpc.cidrBlock],
    },
  ],
});

const dbSubnets = new aws.rds.SubnetGroup(`rds-subnet`, {
  subnetIds: vpc.privateSubnetIds,
});

const db = new aws.rds.Cluster(`db`, {
  engineMode: "serverless",
  dbSubnetGroupName: dbSubnets.id,
  vpcSecurityGroupIds: [rdsSecurityGroup.id],
  engine: "aurora-postgresql",
  // .... password/name/db etc
});
And I have manually added an extra inbound rule in AWS on the security group in this code to the created security group to allow access from my IP. What am i missing?
Note that for the manual rule i've created, I've tried with only to that port from all IPs, and gone through the whole check to see if there's an Internet gateway attached to the VPC. I've tried to connect with pgAdmin and by just hitting 
telnet <cluster> 5432
. Nothing seems to work. Doesn't even attempt to wake up the paused cluster.
b

brave-planet-10645

04/21/2021, 12:31 PM
You can't access anything in a private subnet from the internet
You can set up a bastion host in a public subnet, give that access to the RDS instance and then go via that
AWS has some good docs here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html
p

powerful-furniture-83753

04/21/2021, 12:42 PM
Right ye, i noticed that when i was posting this. I've (temporarily) updated it to be in all the groups to confirm whether this was the issue or not: 
subnetIds: pulumi.all([vpc.publicSubnetIds, vpc.privateSubnetIds]).apply(([publicSubnetIds, privateSubnetIds]) => [...publicSubnetIds, ...privateSubnetIds]),
Still doesn't seem to work. I keep getting the impression the traffic is being blocked before it goes anywhere near the RDS instance. I'll run through those docs and post back if i bump into anything.
b

broad-dog-22463

04/21/2021, 2:08 PM
@powerful-furniture-83753 you have a subnet group on the RDS instance that is limited to the private subnets
p

powerful-furniture-83753

04/21/2021, 2:23 PM
even if i swap that out for only the public subnet ids.. still times out, and still accessible inside the VPC (as expected). I don't really get why.
But i still need to do all the reading that Piers posted 🙂
b

brave-planet-10645

04/21/2021, 3:11 PM
You'd need to open up the security group and have the rds instance subnetgroup be public to access it from outside
b

broad-dog-22463

04/21/2021, 3:11 PM
Your security group needs to have 0.0.0.0/0 access
p

powerful-furniture-83753

04/21/2021, 3:12 PM
aaaaah... i think you can't actually give an Aurora Serverless cluster a public ip. At least if i read this right: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html Also found some threads suggesting the only way to do it is to setup a VPN tunnel into the VPC. It could also be that i horribly misunderstand how this works 🙂
#awsJoin Slack
Powered by