Reputation: 3190
How to configure security groups to connect Laravel Vapor to AWS RDS
I have an AWS RDS that is correctly set up to allow inbound traffic on port 3306 from an ELB that load balances two EC2 instances. This is all working as it should, and has been for some time.
I'm now deploying a new application to a Laravel Vapor environment, which also needs to connect to the same RDS. The application is deployed and accessible in a browser - but as soon as the DB comes into play (login), it times out and throws a Gateway error.
My Vapor environment is configured to use the same subnets as the RDS, and belongs to the same VPC. I have confirmed this in the AWS console.
I created a new security group specifically for the Vapor resources, and this is also specified in the vapor.yml. I can also confirm that this is attached to the Vapor lambdas as expected.
I have added an inbound rule to the security group attached to the RDS to allow ALL traffic from the Vapor security group. I have variously experimented with opening port 3306 only, but eventually broadened to ALL incoming traffic from that SG.
I continue to see exactly the same issue - timeout when making a DB request.
I still believe this to be a network security issue - if the DB credentials were wrong then I wouldn't expect a timeout, I would expect an application error of some kind. Can anybody see anything I've missed here, or point me to the logs that I'd need to look at to work out what's wrong with my setup?
Upvotes: 1
Views: 644
Answers (1)
Reputation: 37490
I like to use security groups in pairs, or chain them if you have more than a couple tiers in your architecture. So for your scenario:
Pairs: (you need one extra group for the public)
- Public: open 80/443 to 0.0.0.0/0 - this goes on the load balancer
- WebClient: empty group - this goes on the load balancer
- WebServer: open 80 or 443 to WebClient group - this goes on the autoscaling group / EC2 instances, depending on if you're using http or https for load balancer -> instance communication
- DBClient: empty group - this goes on the autoscaling group / EC2 instances
- DBServer: open 3306 to the DBClient group - this goes on RDS
Chaining:
- Public: open 80/443 to 0.0.0.0/0 - this goes on the load balancer
- Web: open 80 or 443 to Public group - this goes on the autoscaling group / EC2 instances
- DB: open 3306 to Web group - this goes on the RDS instance
Upvotes: 2
Related Questions
- Unable to connect RDS Database with MySQL workbench even with Public Access
- AWS RDS public access
- Connect to RDS instance from Ec2 instance within VPC
- Unable to connect to Public RDS in VPC via Lambda
- Configure interdependent security groups in AWS VPC
- What does Outbound traffic mean for an AWS Security Group assigned to an AWS RDS instance?
- can't connect to mysql on AWS RDS (error 2003)