Reputation: 4003
Permissions for EC2 created by Elastic Beanstalk connecting to external RDS
I am quite new to Elastic Beanstalk and not very proficient with server administration, but I need to set up a Django project on Elastic Beanstalk connecting to external RDS MySQL database.
I have created a separate RDS MySQL database and I can connect to it using Sequel Pro on my computer without problems. Then I have my Django project which I try to put to Elastic Beanstalk, but unfortunately without luck. If I run the local Django server from my computer, the project is browsable and Amazon RDS MySQL is accessible. However, when I run
eb deploy
I get
django.db.utils.OperationalError: (2003, "Can't connect to MySQL server
on 'myapp-staging.xxx.eu-west-1.rds.amazonaws.com' (110)")
(ElasticBeanstalk::ExternalInvocationError)
If I login to the EC2 server via SSH
eb ssh
and then check the open ports with
netstat -lntu
I don't see MySQL's port 3306 there, so I guess it is blocked by firewall.
This is what I tried regarding permissions:
- I went to RDS Dashboard -> Security Groups and created myapp-mysql-security-group with EC2 Security Group connection type pointing to EC2 security group used by Elastic Beanstalk EC2 instance “awseb-e-...”.
- I went to EC2 -> Security Groups and for “awseb-e-...” I set the Inbound MySQL port with source 0.0.0.0/0
- I went to VPC Dashboard -> Security Groups and created myapp-mysql-security-group with Inbound Rules of MySQL port with source 0.0.0.0/0.
Then I tried to redeploy, restart servers and even rebuild environment, but nothing helped. The MySQL port 3306 is still not open in the EC2 instances created by Elastic Beanstalk.
What am I doing wrong or what is missing?
Upvotes: 8
Views: 1227
Answers (1)
Reputation: 3968
MySQL port 3306 is only opened at the RDS instance (not in your EC2 instance). So, if you check on your EC2 instance, it should not listen on port 3306.
Things those you can do to check RDS is working:
- Check your EC2 instance connection to RDS.
- SSH to your instance (
eb ssh) and runtelnet myapp-staging.xxx.eu-west-1.rds.amazonaws.com 3306. You might need to installtelnetfirst (yum install telnet). - If it's success, check your app.
- If it's failed, check on next point.
- SSH to your instance (
- Make sure your RDS and EC2 placement is correct:
- For private only access RDS:
- Make sure they are in same VPC and allow incoming connection in RDS from VPC's IP to 3306. For better performance, use IP address instead of Security Group name.
- If they are on different VPC, you can create VPC Peering.
- For public access RDS:
- Same as above, allow incoming connection from VPC's IP.
- For private only access RDS:
- Make sure EC2 instances are allowed to make outgoing connection to port 3306 in EC2 security group.
- Make sure your EC2 host doesn't have denied 3306 rule in
iptables. - If your EC2 and RDS in different VPC and you use private IP for your EC2, check the NAT server. Make sure you allow port 3306 to be proxified.
Upvotes: 9
Related Questions
- AWS Elastic Beanstalk trouble: RDS connection error: Access denied for user 'sa'
- Unable to create elastic Beanstalk environment with RDS in AWS
- Access RDS database created through Elastic Beanstalk
- AWS - Configuring access to EC2 instance from Beanstalk App
- Unable to add an RDS instance to Elastic Beanstalk
- Find the Elastic Beanstalk Security Group and Configure the Connection to RDS
- Connecting existing RDS to Elastic Beanstalk
- access RDS through ec2 beanstalk instance
- Access an RDS instance created in Elastic Beanstalk
- Access Denied when creating RDS during init of Elastic Beanstalk