Connect to RDS in a different region from EC2 instance

Question

So I have a primary RDS in us-east-1 & a replica in us-west-1. Both are inside VPCs in their respective regions. I want to have one of my EC2 instances in us-east-1 connect to the replica instance.

A simple solution is to enable public access for the RDS replica and add the IP of the EC2 to its security group and it works.

But instead of allowing a static IP, I would like to allow access to the entire CIDR range of my us-east-1 VPC and also I don't want my instances to be public accessible.

To do this, I've setup a VPC peering connection between the two regions and I have added entries in the routing tables of both the VPCs to forward traffic to each other's CIDR ranges to the peering connections.

The CIRD range of the EC2 instance is 172.31.0.0/16 and I have added this to the security group of the RDS replica in the us-west-1 region. But for some reason the RDS is not reachable from my EC2.

Have I missed anything else? Thanks!

To summarize my setup:

US EAST:

• VPC CIDR: 172.31.0.0/16
• Route Table entry: Destination 10.0.0.0/16 routes to the peering connection of us-west-1 VPC.
• EC2 IP: 172.31.5.234

US WEST:

• VPC CIDR: 10.0.0.0/16

• Route Table entry: Destination 172.31.0.0/16 routes to the peering connection of us-east-1 VPC.

• RDS:

  • Public Accessible: Yes
  • Security Group: Allow connections from 172.31.0.0/16

Answer 1

To reproduce your situation, I did the following:

In us-east-1:

• Created a VPC in us-east-1 with a CIDR of 172.31.0.0/16 using the "VPC with Public and Private Subnets" VPC Wizard
• Launched an Amazon EC2 Linux instance in the public subnet

In us-west-1:

• Created a VPC in us-west-1 with a CIDR of 10.0.0.0/16 using the "VPC with Public and Private Subnets" VPC Wizard
• Added an additional private subnet to allow creation of an Amazon RDS Subnet Group that uses multiple AZs
• Created an RDS Subnet Group across the two private subnets
• Launched an Amazon RDS MySQL database in the private subnet with Publicly accessible = No

Setup peering:

• In us-east-1, created a Peering Connection Request to the VPC in us-west-1
• In us-west-1, accepted the Peering Request

Configure routing:

• In us-east-1, configured the Public Route Table (used by the EC2 instance) to route 10.0.0.0/16 traffic to the peered VPC
• In us-west-1, configured the Private Route Table (used by the RDS instance) to route 172.31.0.0/16 traffic to the peered VPC

Security Groups:

• In us-east-1, created a security group (App-SG) that allows inbound port 22 connections from 0.0.0.0/0. Associated it to the EC2 instance.
• In us-west-1, created a security group (RDS-SG) that allows inbound port 3306 connections from 10.0.0.0/16 (which is the other side of the peering connection). Associated it to the RDS instance.

Test:

• Used ssh to connect to the EC2 instance in us-east-1
• Installed mysql client (sudo yum install mysql)
• Connected to mysql with:

mysql -u master -p -h xxx.yyy.us-west-1.rds.amazonaws.com

This successfully connected to the RDS database across the peering connection.

FYI, the DNS name of the database resolved to 10.0.2.40 (which is in the CIDR range of the us-west-1 VPC). This DNS resolution worked from both VPCs.

In summary, the important bits are:

• Establish a 2-way peering connection
• Configure the security group on the RDS instance to permit inbound connections from the CIDR of the peered VPC
• No need to make the database publicly accessible