By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Ensuring a Static IP for a Dynamic ECS in a Cross-VPC MySQL Database Connection

0

I'm currently operating an ECS cluster, hosted on EC2 instances, that houses a Django-based API service, an Nginx web server, and a Filebeat module to facilitate the ELK logging mechanism as a sidecar container. The aforementioned cluster resides within a VPC dubbed 'vpc-ecs'.

Simultaneously, I maintain a MySQL database, hosted in a public subnet within a separate VPC, referred to as 'vpc-db'. My primary objective is to establish a secure connection between my Django ECS container and the above database across these VPCs.

For security considerations, I intend to create a MySQL user (referred to as 'ecs_user') whose host isn't configured with a wildcard. Rather, I'd prefer the connection to originate from a specific, static IP address in the format of ecs_user@1.2.3.4. Here, 1.2.3.4 would represent a fixed IP transmitted by the ECS service.

The inherent dynamic nature of ECS and the auto-scaling groups associated with EC2 instances creates a challenge, as EC2 instances are frequently terminated and supplanted. Consequently, I'm grappling with the task of maintaining a consistent, static IP for the database connection despite the dynamism.

I kindly request insights regarding the most feasible way to maintain this static IP for the connection with the MySQL database. Additionally, I'm open to any suggestions for enhancing the security measures for this connection.

Topics
Networking & Content DeliveryContainersAWS Well-Architected FrameworkDatabase
Tags
Amazon VPCNetworking & Content DeliveryAmazon Elastic Container ServiceSecurityMySQL
Language
English
Ishwar
asked 9 months ago241 views
1 Answer
0

Does this mean I need a static IP even though the IP address changes with AutoScaling?
I think that if you set the RDS security group to allow only the security group from ECS, you don't need a fixed IP address.
By allowing only the ECS security group, access from outside the ECS will not be possible.
If you are doing VPC peering, you can refer to security groups in other VPCs.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
  • Ishwar
    9 months ago

    That is true. But my Mysql database is hosted on EC2 and it have rule allow all for few ports because it is analytics bases. At level of mysql database, I ensure only allowed IP can connect. So I need to know mechanism for static IP in ECS deployment.

  • Riku_Kobayashi EXPERT
    9 months ago

    Thanks for the reply. By the way, what network mode do you use for ECS? If the network mode is host or bridge, the IP address of the EC2 instance is used, so if you can design the system to execute Lambda, etc. according to the EC2 startup event, you can set the IP of the MySQL user. However, such an architecture is difficult to create without knowledge, so I would create a MySQL user so that it can be accessed from the CIDR of the subnet on which EC2 is started. For example, you can allow access from EC2 by setting the CIDR of the subnet with the following command.

    GRANT ALL PRIVILEGES ON database_name.* TO 'username'@'192.168.0.0/255.255.255.0' IDENTIFIED BY 'password';

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content