Hey folks. I'm having some issues trying to access...
# aws
Hey folks. I'm having some issues trying to access an aurora postgres instance from outside of my VPC (ie, my local machine). The ECS cluster i have running in the VPC can access it without issue. I've got the following setup:
Copy code
const vpc = new awsx.ec2.Vpc(`vpc`, {});

const rdsSecurityGroup = new aws.ec2.SecurityGroup(`sg`, {
  vpcId: vpc.id,
  ingress: [
      protocol: "tcp",
      fromPort: 5432,
      toPort: 5432,
      cidrBlocks: [vpc.vpc.cidrBlock],

const dbSubnets = new aws.rds.SubnetGroup(`rds-subnet`, {
  subnetIds: vpc.privateSubnetIds,

const db = new aws.rds.Cluster(`db`, {
  engineMode: "serverless",
  dbSubnetGroupName: dbSubnets.id,
  vpcSecurityGroupIds: [rdsSecurityGroup.id],
  engine: "aurora-postgresql",
  // .... password/name/db etc
And I have manually added an extra inbound rule in AWS on the security group in this code to the created security group to allow access from my IP. What am i missing?
Note that for the manual rule i've created, I've tried with only to that port from all IPs, and gone through the whole check to see if there's an Internet gateway attached to the VPC. I've tried to connect with pgAdmin and by just hitting
telnet <cluster> 5432
. Nothing seems to work. Doesn't even attempt to wake up the paused cluster.
You can't access anything in a private subnet from the internet
You can set up a bastion host in a public subnet, give that access to the RDS instance and then go via that
Right ye, i noticed that when i was posting this. I've (temporarily) updated it to be in all the groups to confirm whether this was the issue or not:
Copy code
subnetIds: pulumi.all([vpc.publicSubnetIds, vpc.privateSubnetIds]).apply(([publicSubnetIds, privateSubnetIds]) => [...publicSubnetIds, ...privateSubnetIds]),
Still doesn't seem to work. I keep getting the impression the traffic is being blocked before it goes anywhere near the RDS instance. I'll run through those docs and post back if i bump into anything.
@powerful-furniture-83753 you have a subnet group on the RDS instance that is limited to the private subnets
even if i swap that out for only the public subnet ids.. still times out, and still accessible inside the VPC (as expected). I don't really get why.
But i still need to do all the reading that Piers posted 🙂
You'd need to open up the security group and have the rds instance subnetgroup be public to access it from outside
Your security group needs to have access
aaaaah... i think you can't actually give an Aurora Serverless cluster a public ip. At least if i read this right: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html Also found some threads suggesting the only way to do it is to setup a VPN tunnel into the VPC. It could also be that i horribly misunderstand how this works 🙂