Reputation: 75
Amazon RDS (CLI) - Restore instance from snapshot - wrong security group (No inbound permissions)
I'm preparing a small bash script that reads the latest snapshot name for a given instance and creates an new instance from that snapshot. The command I'm using is
rds-restore-db-instance-from-db-snapshot snapshot-instance --db-snapshot-identifier rds:snapshot-name --region eu-west-1 --availability-zone eu-west-1a --db-instance-class db.t2.micro --multi-az false
This is working fine, the instance gets created. But the instance has wrong security group assignments, preventing it from being accessed from outside (which is needed for a standard "dumping" of the sql-data).
The original Security Group (VPC) of the snapshott'ed instance was
default (sg-2bc44xxx) ( active )
but when the new instance from the snapshot is created via CLI, it gets the following assignments:
default:vpc-95c10xxx ( active )
rds-default-vpc-95c10-xxxx (sg-9e45bxxx) ( active )
You see the difference of the Security group (sg) of the old security group and the new one.
But I cannot change this connection via CLI:
rds-modify-db-instance snapshot-instance --region eu-west-1 -sg sg-2bc44xxx
Result in
"Malformed input-MalformedInput".
Other try:
rds-modify-db-instance snapshot-instance --region eu-west-1 -a sg-2bc44xxx
which gives
Could not find the resource you requested: DBSecurityGroup not found: sg-2bc44xxx
When I change the group via Web-Console to the default one, the inbound connection is usable and I can take a mysqldump without any problem.
Currently it is unclear what option to use, either -a or -sg. Also, it is unclear what the correct identifier for security groups is (id, group-name, ...).
Any help or information would be highly appreciated.
Regards,
Erik
Upvotes: 0
Views: 1991
Answers (2)
Reputation: 75
I came back here to inform that I ran with a different solution. I used the AWS SDK for PHP and was able to easily get the name of latest snapshot via API. I used it then to spin up a temp-instance (which is bound to the same security groups, paramater groups etc. like the original instance), poll this instance until it's in state "ready" and then perform an actual mysqldump which is then uploaded to S3. After that, I destroy the temp-instance. It's all done via a PHP shell-script and the usage of the official AWS SDK for PHP.
The script is working fine without any errors for nearly 2 years now every day (the dumps are ~ 15GB in size). Thanks anyway for your answers, they might be helpful for others that come across this issue. It's really easy to accomplish these things with the SDK.
Upvotes: 0
Reputation: 241
I was facing a similar issue, so after restoring the database using a snapshot, I see that the security group assigned is default, which does not have any inbound rules. If you go to the home page of your RDS console, you can see the configuration for supported platforms as either (EC2, VPC) or just (VPC) as shown here
Sadly, restore-db-instance-from-db-snapshot was not taking in any vpc-security groups option. So after restoring the database, I had to modify it using
aws rds modify-db-instance --db-instance-identifier your-db-identifier --vpc-security-group-ids sg-4xxxxxxx
This worked for me.
Upvotes: 1
Related Questions
- Can't copy AWS RDS DB snapshot because of key not existing or no access? (Administrator account)
- AWS RDS can't connect security group
- Security group not properly set when calling RDS CreateDBInstance
- aws cli rds restore-db-cluster-from-snapshot giving internal error
- RDS Security groups - default only working
- Unable to Add Security Group to RDS Instance
- Why is this RDS security group not letting my EC2 security group connect?
- AWS ec2-authorize security group error "Unable to find group"
- Trouble restoring from Amazon RDS DB Snapshot
- AWS Security Groups - EC2 to RDS