https://pulumi.com logo
Join Slack
Powered by
Hey folks. I'm having some issues trying to access...
# aws
p
Hey folks. I'm having some issues trying to access an aurora postgres instance from outside of my VPC (ie, my local machine). The ECS cluster i have running in the VPC can access it without issue. I've got the following setup:
Copy code
const vpc = new awsx.ec2.Vpc(`vpc`, {});

const rdsSecurityGroup = new aws.ec2.SecurityGroup(`sg`, {
  vpcId: vpc.id,
  ingress: [
    {
      protocol: "tcp",
      fromPort: 5432,
      toPort: 5432,
      cidrBlocks: [vpc.vpc.cidrBlock],
    },
  ],
});

const dbSubnets = new aws.rds.SubnetGroup(`rds-subnet`, {
  subnetIds: vpc.privateSubnetIds,
});

const db = new aws.rds.Cluster(`db`, {
  engineMode: "serverless",
  dbSubnetGroupName: dbSubnets.id,
  vpcSecurityGroupIds: [rdsSecurityGroup.id],
  engine: "aurora-postgresql",
  // .... password/name/db etc
});
And I have manually added an extra inbound rule in AWS on the security group in this code to the created security group to allow access from my IP. What am i missing?
Note that for the manual rule i've created, I've tried with only to that port from all IPs, and gone through the whole check to see if there's an Internet gateway attached to the VPC. I've tried to connect with pgAdmin and by just hitting 
telnet <cluster> 5432
. Nothing seems to work. Doesn't even attempt to wake up the paused cluster.
b
You can't access anything in a private subnet from the internet
You can set up a bastion host in a public subnet, give that access to the RDS instance and then go via that
p
Right ye, i noticed that when i was posting this. I've (temporarily) updated it to be in all the groups to confirm whether this was the issue or not:
Copy code
subnetIds: pulumi.all([vpc.publicSubnetIds, vpc.privateSubnetIds]).apply(([publicSubnetIds, privateSubnetIds]) => [...publicSubnetIds, ...privateSubnetIds]),
Still doesn't seem to work. I keep getting the impression the traffic is being blocked before it goes anywhere near the RDS instance. I'll run through those docs and post back if i bump into anything.
b
@powerful-furniture-83753 you have a subnet group on the RDS instance that is limited to the private subnets
p
even if i swap that out for only the public subnet ids.. still times out, and still accessible inside the VPC (as expected). I don't really get why.
But i still need to do all the reading that Piers posted 🙂
b
You'd need to open up the security group and have the rds instance subnetgroup be public to access it from outside
b
Your security group needs to have 0.0.0.0/0 access
p
aaaaah... i think you can't actually give an Aurora Serverless cluster a public ip. At least if i read this right: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html Also found some threads suggesting the only way to do it is to setup a VPN tunnel into the VPC. It could also be that i horribly misunderstand how this works 🙂
13 Views
Open in Slack
PreviousNext
Powered by