By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

VPC Peer connection unable to connect EC2 in different region than RDS but EC2s on the same Peer connection VPCs works

0

I setup a peer connection form us-east to eu-west. Using the following method:

us-east; Created an RDS (made public facing) and an EC2 on the same VPC [1] us-west Created an EC2 on VPC [2] Created a peer-connection for VPC [1] to VPC [2] (us-east to eu-west) Setup the peer-connection to resolve DNS hosts (on both ends) Updated routing tables on both sides to accept the CIDR ranges from the corresponding VPCs Updated the security groups on both sides to allow inbound and outbound connections from the CIDR ranges

I am able to successfully to the EC2 instance in us-east from the EC2 in eu-west by pinging its private ip - suggesting the VPC peering tunnel is setup correctly.

When I try to connect to the RDS mySQL instance in us-east from the EC2 in eu-west, it is unresolved.

I am using netcat to test, using the following method:

nc -zv databasex.xxxxxx.us-east-2.rds.amazonaws.com 3306

The security group attached to the RDS has a rule to allow connections on port 3306 from the CIDR range associated with the VPC in eu-west, just like I have on the EC2 security group. I have reviewed a number of articles, help posts, and other things and it appears I have everything setup correctly so I am at a loss why I am not able to connect to the RDS from this peer connection.

Of course when I add a record to the RDS security group to allow connections from the public IP of the eu-west EC2 then it connects but I want to take advantage of the peering tunnel and not use traffic over an internet gateway. Please let me know if there are certain things I should be looking for that I may be obviously missing. Thank you.

Topics
Networking & Content DeliveryComputeDatabase
Tags
Amazon VPCAmazon EC2Networking & Content DeliverySecurity GroupMySQL
Language
English
rePost-User-6899102
asked a year ago371 views
1 Answer
2
Accepted Answer

I think the problem is, when you resolve public RDS instance DNS name from outside of it's VPC, you will get the public address. And this is why your traffic is routed via peering connection but goes out to "internet" via IGW. As results the packet seem to be originating from public IP of EC2 and NATGW, not from private IP of VPC CIDR. Simple solution would be making RDS private, I think then DNS would always resolve to private IP. If that is not possible then it might get more complex. It could be possible (havent testing myself) using alias in private zone, see https://repost.aws/knowledge-center/vpc-peering-troubleshoot-dns-resolution

profile picture
EXPERT
Kallu
answered a year ago
  • rePost-User-6899102
    a year ago

    Ah... At this time I can't make it private as I have an external application that is not hosted on AWS that queries from the RDS. I could look at migrating this application to AWS though that is going to be a fairly large lift. Maybe I can just spin up a new RDS within the same VPC and set it up private and at least test if it indeed works with the peer connection in that configuration.

  • rePost-User-6899102
    a year ago

    After reading the post you linked, I found out I had DNS resolution turned off on one side of the peer connection. I enabled that and now it fully resolves and I am able to connect to the RDS in us-east from the EC2 is eu-west. Thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content