从另一个VPC访问私有RDS数据库 [英] Access Private RDS DB From Another VPC

问题描述

我正在尝试使用对等连接从其他VPC访问私有RDS实例.我有两个VPC:

I'm trying to access a private RDS Instance from a different VPC using a Peering Connection. I have two VPCs:

1. 具有一个公共子网的VPC-K8S( 172.20.0.0/16 )
2. VPC-RDS( 172.17.0.0/16 )，带有一个公共子网( 172.17.0.0/24 )和3个私有子网( 172.17.{1，2,3} .0/24 )

1. VPC-K8S (172.20.0.0/16) with one public subnet
2. VPC-RDS (172.17.0.0/16) with one public subnet (172.17.0.0/24) and 3 private subnets (172.17.{1,2,3}.0/24)

VPC-RDS具有2个安全组(不是真实名称):

VPC-RDS has 2 security groups (not actual names):

1. 默认，它从我的IP接受SSH
2. db ，它从 default 安全组通过端口5432接受TCP.

1. default, which accepts SSH from my IP
2. db, which accepts TCP over port 5432 from the default security group.

在专用子网中创建数据库子网组后，我将数据库实例部署在VPC-RDS中，并将其配置为不可公开访问.要从工作站访问它，我在具有 default 安全组的VPC-RDS的公共子网中创建了一个小实例，并创建了SSH隧道:

I deploy my DB instances in VPC-RDS after creating a DB Subnet Group in the private subnets, and configure it to not be publicly accessible. To access it from my workstation, I create a small instance in the public subnet of VPC-RDS with the default security group, and create an SSH tunnel:

ssh -L 5432:rds-host-name.us-east-1.rds.amazonaws.com:5432  -i "KeyName.pem"  ec2-user@ec2-host-name.compute-1.amazonaws.com

我可以通过本地主机从工作站访问RDS.

I can access the RDS from my workstation via localhost.

我希望能够从我的Kubernetes集群(VPC-K8S)访问我的RDS实例.我在两者之间建立了对等连接，并适当地配置了路由表(在VPC-K8S中: 172.17.0.0/16-> pcx-112233 ； VPC-RDS: 172.20.0.0/16-> pcx-112233 )

I want to be able to access my RDS instance from my Kubernetes cluster (VPC-K8S). I set up a peering connection between the two, and configure the route tables appropriately (in VPC-K8S: 172.17.0.0/16 -> pcx-112233; VPC-RDS: 172.20.0.0/16 -> pcx-112233)

我无法从我的K8S节点之一或K8S VPC中的任何实例连接到RDS.我怀疑它与 db 安全组有关，但是即使当我为所有IP(0.0.0.0/0)打开端口5432时，它也无济于事.

I cannot connect to RDS from one of my K8S nodes, or any instance in the K8S VPC. I suspected that it had something to do with the db security group, but even when I opened port 5432 to all IPs (0.0.0.0/0) it didn't help.

任何想法如何做到这一点，还是只能通过可公开访问的RDS实例或VPC-RDS和 default SG中的Bastion主机来实现?

Any ideas how to do this, or is this only possible via a publicly accessible RDS instance or a Bastion host that is in VPC-RDS and the default SG?

推荐答案

愚蠢的监督，但如果有帮助，我会保留.

Stupid oversight, but I'll leave this up if it helps anyone.

我在VPC-RDS中的专用子网使用的路由表与公用子网不同.这样做是为了使Internet地址(对于捕获所有规则 0.0.0.0/0 )指向NAT网关，而不是公共子网中的Internet网关.

My private subnets in VPC-RDS use a different route table than the public subnet. This is done so that internet addresses (for the catch all rule 0.0.0.0/0) point to the NAT gateway as opposed to the internet gateway in the public subnet.

我在对等连接( 172.20.0.0/16-> pcx-112233 )的专用子网路由表中添加了一条规则，然后配置了 db 安全组以接受来自 172.20.0.0/16 的端口5432上的TCP通信.

I added a rule to the private subnets' route table for the peering connection (172.20.0.0/16 -> pcx-112233), and then configured the db security group to accept TCP traffic on port 5432 from 172.20.0.0/16.

这篇关于从另一个VPC访问私有RDS数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！