从另一个VPC访问私有RDS数据库 [英] Access Private RDS DB From Another VPC
问题描述
我正在尝试使用对等连接从其他VPC访问私有RDS实例.我有两个VPC:
I'm trying to access a private RDS Instance from a different VPC using a Peering Connection. I have two VPCs:
- 具有一个公共子网的VPC-K8S(
172.20.0.0/16
) - VPC-RDS(
172.17.0.0/16
),带有一个公共子网(172.17.0.0/24
)和3个私有子网(172.17.{1,2,3} .0/24
)
- VPC-K8S (
172.20.0.0/16
) with one public subnet - VPC-RDS (
172.17.0.0/16
) with one public subnet (172.17.0.0/24
) and 3 private subnets (172.17.{1,2,3}.0/24
)
VPC-RDS具有2个安全组(不是真实名称):
VPC-RDS has 2 security groups (not actual names):
-
默认
,它从我的IP接受SSH -
db
,它从default
安全组通过端口5432接受TCP.
default
, which accepts SSH from my IPdb
, which accepts TCP over port 5432 from thedefault
security group.
在专用子网中创建数据库子网组后,我将数据库实例部署在VPC-RDS中,并将其配置为不可公开访问.要从工作站访问它,我在具有 default
安全组的VPC-RDS的公共子网中创建了一个小实例,并创建了SSH隧道:
I deploy my DB instances in VPC-RDS after creating a DB Subnet Group in the private subnets, and configure it to not be publicly accessible. To access it from my workstation, I create a small instance in the public subnet of VPC-RDS with the default
security group, and create an SSH tunnel:
ssh -L 5432:rds-host-name.us-east-1.rds.amazonaws.com:5432 -i "KeyName.pem" ec2-user@ec2-host-name.compute-1.amazonaws.com
我可以通过本地主机从工作站访问RDS.
I can access the RDS from my workstation via localhost.
我希望能够从我的Kubernetes集群(VPC-K8S)访问我的RDS实例.我在两者之间建立了对等连接,并适当地配置了路由表(在VPC-K8S中: 172.17.0.0/16-> pcx-112233
; VPC-RDS: 172.20.0.0/16-> pcx-112233
)
I want to be able to access my RDS instance from my Kubernetes cluster (VPC-K8S). I set up a peering connection between the two, and configure the route tables appropriately (in VPC-K8S: 172.17.0.0/16 -> pcx-112233
; VPC-RDS: 172.20.0.0/16 -> pcx-112233
)
我无法从我的K8S节点之一或K8S VPC中的任何实例连接到RDS.我怀疑它与 db
安全组有关,但是即使当我为所有IP(0.0.0.0/0)打开端口5432时,它也无济于事.
I cannot connect to RDS from one of my K8S nodes, or any instance in the K8S VPC. I suspected that it had something to do with the db
security group, but even when I opened port 5432 to all IPs (0.0.0.0/0) it didn't help.
任何想法如何做到这一点,还是只能通过可公开访问的RDS实例或VPC-RDS和 default
SG中的Bastion主机来实现?
Any ideas how to do this, or is this only possible via a publicly accessible RDS instance or a Bastion host that is in VPC-RDS and the default
SG?
推荐答案
愚蠢的监督,但如果有帮助,我会保留.
Stupid oversight, but I'll leave this up if it helps anyone.
我在VPC-RDS中的专用子网使用的路由表与公用子网不同.这样做是为了使Internet地址(对于捕获所有规则 0.0.0.0/0
)指向NAT网关,而不是公共子网中的Internet网关.
My private subnets in VPC-RDS use a different route table than the public subnet. This is done so that internet addresses (for the catch all rule 0.0.0.0/0
) point to the NAT gateway as opposed to the internet gateway in the public subnet.
我在对等连接( 172.20.0.0/16-> pcx-112233
)的专用子网路由表中添加了一条规则,然后配置了 db
安全组以接受来自 172.20.0.0/16
的端口5432上的TCP通信.
I added a rule to the private subnets' route table for the peering connection (172.20.0.0/16 -> pcx-112233
), and then configured the db
security group to accept TCP traffic on port 5432 from 172.20.0.0/16
.
这篇关于从另一个VPC访问私有RDS数据库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!