使用MySQL Workbench Security组通过EC2实例连接到Amazon RDS实例

Question

I'm having difficulty to connect mysql Workbench to RDS. I contacted amazon support and they told me this

"I've looked at the configuration of the EB environment and the SG's and they're now in good order, the only item left, as I see its not possible to connect to the RDS DB remotely, the SG sg-882213c3 needs to have another rule added to allow connectivity from the computer with the mysql client. Perhaps, allow 0.0.0.0/0 to TCP port 3306 for temporary access or from the source IP of the computer."

so what I did is this

but the connection still failing

the pervious steps are

I created new new DB Instances called east-mysql2-instance1. For east-mysql2-instance1 Security group is set to rds-launch-wizard (sg-882213c3) and i did modify the inbound to Source sg-882213c3 (rds-launch-wizard). but it wont let me change the type to Mysql/Aurora it stays at custom TCP Rule.

for EC2 Instance I have 2 running instances and I changed both Security groups to
rds-launch-wizard and awseb-e-bdbjjgxvzd-stack-AWSEBSecurity

I terminate my old environment and created new one called Borroup-env-1, I changed the EC2 security groups for the environment to awseb-e-bdbjjgxvzd-stack-AWSEBSecurityGroup-1PTJG896MEOYR and rds-launch-wizard. I changed Environment properties and added RDS_DB_NAME, RDS_HOSTNAME, RDS_PASSWORD, RDS_PORT, RDS_USERNAME

Answer 1

It sounds like you wish to connect from an Amazon EC2 instance to an Amazon RDS instance. Assuming that they are both in the same VPC , the easiest way to configure it is:

• Create an App-SG security group and associate it with the EC2 instance . Grant whatever access you need to login/use the instance.
• Create a RDS-SG security group and associate it with the RDS database. Permit inbound access from the App-SG security group on port 3306 (MySQL/Aurora).

This basically says that any resources associated with App-SG will be permitted to access any resource associated with RDS-SG .

If that doesn't work, then there's something else (aside from security groups) that needs to be configured.

Answer 2

From your second screenshot, it looks like you are setting up a connection that is:

1. SSH from your mac desktop to an ec2 instance
2. connect form the ec2 instance to RDS

If this is the situation you are wanting to achieve I would not be leaving a rule allowing 3306 from 0.0.0.0/0. This is allowing any IP address in the world to connect on port 3306 - a well known port. Additionally, that advice seems to suggest putting that rule against the RDS instance? Overkill - only needs to allow access from your EC2 instance or its subnet.

The first step I would take is use SSH on terminal to verify you can SSH from your mac to the EC2 instance - if this is not working, no point looking at SGs and rules between EC2 and RDS. Once that is working, you can move forward to resolving the connectivity from the ec2 to the RDS. As John noted above, if both the RDS and the EC2 are in the same VPC, you can setup a SG allowing access to the RDS instance from the subnet that the EC2 is in.

As an alternative solution, you can also setup to allow access to the RDS instance directly, without going through the EC2. See Public Accessibility and also subnet requirements here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html Depends on what kind of setup you want...

If the EC2 and RDS are not in the same VPC but are in the same region, you may want to look at setting up VPC peering: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html If they EC2 are RDS are not in the same region or same VPC, you may want to setup Inter region VPC peering: https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-support-for-inter-region-vpc-peering/