为什么在对等互连后无法从另一个 VPC 中的 EC2 实例连接 AWS RDS 实例 [英] Why can't I connect AWS RDS instance from EC2 instance in another VPC after peering
问题描述
我在 VPC A 的 EC2 实例上运行 Tableau Server.同时,我在另一个 VPC B 中创建了一个 postgres RDS.现在我想在 Tableau Server 和 RDS 之间建立连接.RDS VPC的CIDR为172.31.0.0/16,EC2 VPC的CIDR为10.0.0.0/16.
I am running Tableau Server on our EC2 instance in VPC A. Meanwhile, I created a postgres RDS in another VPC B. Now I want to establish the connection between the Tableau Server and RDS. CIDR of RDS VPC is 172.31.0.0/16 and that of EC2 VPC is 10.0.0.0/16.
根据一个EC2访问的VPC中的数据库实例不同 VPC 中的实例,我在 VPC A 和 VPC B 之间创建了对等互连,pcx-xyz123.此外,我还为 VPC 创建了以下路由表.
According to A DB Instance in a VPC Accessed by an EC2 Instance in a Different VPC, I created peering between VPC A and VPC B, pcx-xyz123. Besides, I also created the following route tables for the VPCs.
RDS VPC
Destination Target
172.31.0.0/16 local
10.0.0.0/16 pcx-xyz123
EC2 VPC
Destination Target
10.0.0.0/16 local
172.31.0.0/16 pcx-xyz123
两个路由表都是主路由表.虽然每个都有 0 个子网(不确定这是否重要).
Both route tables are main. Each has 0 Subnets though (not sure if this matters).
但是我仍然无法从 Tableau Server 连接 RDS.
However I still can't connect RDS from Tableau Server.
这两个实例是由同一个账户创建的.它们都列在美国东部(俄亥俄州)下.所以我假设他们在同一个地区.另外,它们的主机名中都有 us-east-2.在我的 PC 上,我可以使用 psql 命令或 pgAdmin 连接到 RDS.
The two instances are created by same account. They are both listed under US East(Ohio). So I assume they are in the same region. Plus both have us-east-2 in their hostnames. From my PC, I can connect to RDS with psql command or pgAdmin.
为什么我不能连接两个实例?
Why can't I connect the two instances?
编辑:我在与 Tableau Server 相同的 VPC 的同一子网中创建了另一个 EC2 Linux 实例,仅用于调试目的.我以相同的方式配置了对等互连和路由表,并将子网关联到路由表.但是,我仍然无法连接到 EC2 Linux 实例上的 RDS.
EDIT: I've created another EC2 Linux instance within the same subnet of the same VPC as the Tableau Server just for debugging purposes. I configured the peering and route table same way and also associate the subnets to the route tables. However, I still can't connect to RDS on the EC2 Linux instance.
推荐答案
VPC 对等互连的工作方式与公共子网连接到 Internet 网关的方式大致相同——路由表定义了流量进入的方式/离开子网.
VPC Peering works much the same way as how Public Subnets connect to the Internet Gateway -- the Route Tables define how traffic goes in/out of the Subnets.
为了让 VPC 对等互连工作:
For VPC Peering to work:
- 邀请&接受对等连接(完成)
- 在每个 VPC 中创建一个路由表,指向另一个 VPC 的 IP 范围的对等连接(完成)
- 关联每个您希望能够与路由表对等的子网
- 或者,编辑现有路由表以包含对等条目
- 如果您的 RDS 数据库是公共的,并且您尝试使用数据库的公共 DNS 进行连接,那么您需要编辑对等连接的 DNS 设置 以允许 DNS 解析.
- Invite & Accept the peering connection (Done)
- Create a Route table in each VPC that points to the Peering connection for the other VPC's IP range (Done)
- Associate each subnet that you want able to peer to the Route Table
- Alternatively, edit existing route tables to include the peering entry
- If your RDS database is public, and you are attempting to connect using the public DNS of the database, then you will need to edit the DNS settings of your peering connection to allow DNS resolution.
路由工作如下:
- 当流量离开子网时,会参考路由表以确定将流量发送到哪里
- 首先评估最严格的(例如/24),直到最不严格的(例如/0)
- 根据适当的路由表条目路由流量
这意味着您可以将部分子网配置为对等,而不必包括所有子网.传统上,对等的是私有子网,并且可能只有特定私有子网 -- 但这完全是您的选择.
This means that you can configure some of the subnets to peer, rather than having to include all of them. Traditionally, it is the Private subnets that peer and possibly only specific Private subnets -- but that is totally your choice.
把它想象成路线图上的方向,告诉交通它应该被引导到哪里.
Think of it as directions on a roadmap, telling traffic where it should be directed.
这篇关于为什么在对等互连后无法从另一个 VPC 中的 EC2 实例连接 AWS RDS 实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
