英文:
Lambda in one security group cannot talk to RDS in another security group in a peered VPC
问题
以下是翻译好的部分:
这是我的架构:
- 我的 Lambda 在 Lambda_VPC 中,带有安全组 (Lambda_SG);
- 我的 RDS 在 RDS_VPC 中,带有安全组 (RDS_SG);
- 我创建了一个名为
peering_cxn的对等连接,连接了 Lambda_VPC 和 RDS_VPC; - 我修改了 Lambda_VPC 和 RDS_VPC 的路由表,以包括这个
peering_cxn,按照这个链接的说明进行; - 我在 RDS_SG 的入站规则中添加了 Lambda_SG,端口号为 8192,使用自定义的 TCP 协议类型;
- 在两个 VPC 上都启用了 DNS 解析。
但是不知何故,我的 Lambda 仍然无法调用 RDS,它一直超时。
有几个要注意的事项:
- 我的 Lambda 用于与 RDS 连接的终端和凭据是正确的,因为我曾经在 RDS_SG 的入站规则中暂时添加了 0.0.0.0/0。当然,我不想采用 0.0.0.0/0 作为解决方法,因为这会将我们的系统开放给整个互联网,只有数据库凭据来保护;
- 此外,我能够通过从我的 MacBook 直接使用 SQL 客户端以完全相同的凭据连接到这个 RDS 实例。
根据我的理解,在同一账户和同一地区具有对等 VPC 的情况下,将 Lambda_SG 添加为 RDS_SG 的入站规则应该可以正常工作,但实际情况并非如此。
非常感谢任何建议!
更新:
- 我在 Lambda_VPC 中启动了一个带有 Lambda_SG 的 EC2 实例,连接到这个 EC2 实例,并尝试连接到 RDS:
sh-5.2$ telnet cluster-abc.cluster-abc987-dbd.us-west-2.rds.amazonaws.com 8192
尝试连接到地址 12.345.398.11...
telnet: 连接到地址 12.345.398.11: 连接超时
- 我进入了对等连接的 DNS 设置,并选中了以下两个框:
1. 允许接受者 VPC (Lambda_VPC) 解析请求者 VPC (RDS_VPC) 主机的私有 IP 地址。
2. 允许请求者 VPC (RDS_VPC) 解析接受者 VPC (Lambda_VPC) 主机的私有 IP 地址。
更新 2:
12.345.398.11 是一个公共 IP 地址,表示它没有尝试解析为私有地址,因为 DNS 传播需要一些时间。所以经过一晚后,我连接到了 EC2 实例,并尝试再次连接 RDS:
sh-5.2$ telnet cluster-abc.cluster-abc987-dbd.us-west-2.rds.amazonaws.com 8192
尝试连接到地址 10.0.41.180...
telnet: 连接到地址 10.0.41.180: 连接超时
这次,这个 IP 地址 10.0.41.180 处于 RDS_VPC 的 CIDR 范围内,即 10.0.0.0/16。但仍然超时了。
英文:
Here's my architecture:
- My Lambda in Lambda_VPC with SecurityGroup (Lambda_SG);
- My RDS in RDS_VPC with SecurityGroup (RDS_SG);
- I've created a peering connection with Lambda_VPC and RDS_VPC called
peering_cxn; - I've modified the route tables for both Lambda_VPC and RDS_VPC to include this
peering_cxnfollowing this link; - I've added Lambda_SG as one of the inbound rules in RDS_SG on port 8192 with custom TCP as traffic type
- DNS resolution enabled on both VPCs;
But somehow my lambda still cannot call RDS, it keeps timing out.
A couple things to note:
- The endpoint and credentials that my Lambda uses to connect with RDS is correct as I was able to confirm the connection after briefly adding 0.0.0.0/0 as one of the inbound rules for RDS_SG. Of course I don't want to resort to 0.0.0.0/0 as a resolution as it opens our system to the whole internet and protected only by the DB credentials;
- Also, I'm able to connect to this RDS instance via exactly the same credentials through a SQLClient directly from my Macbook.
Based on my understanding, with this peering VPC in the same account in the same region, Lambda_SG added as an inbound rule for RDS_SG, it should be working, but it's not yet.
Any suggestions would be greatly appreciated!
UPDATE:
- I launched an EC2 instance in Lambda_VPC with Lambda_SG, connected to this EC2 instance and tried to connect to RDS:
sh-5.2$ telnet cluster-abc.cluster-abc987-dbd.us-west-2.rds.amazonaws.com 8192
Trying 12.345.398.11...
telnet: connect to address 12.345.398.11: Connection timed out
- I've gone into DNS settings of the peering connection and checked both boxes to:
1. Allow accepter VPC (Lambda_VPC) to resolve DNS of requester VPC (RDS_VPC) hosts to private IP.
2. Allow requester VPC (RDS_VPC) to resolve DNS of accepter VPC (Lambda_VPC) hosts to private IP.
UPDATE 2:
12.345.398.11 is a public IP address, indicating it didn't try to resolve to a private address as DNS propogation takes time.
So after one night, I connected with the ec2 instance and tried to connect RDS again:
sh-5.2$ telnet cluster-abc.cluster-abc987-dbd.us-west-2.rds.amazonaws.com 8192
Trying 10.0.41.180...
telnet: connect to address 10.0.41.180: Connection timed out
This time, this IP: 10.0.41.180 is within the CIDR range of the RDS_VPC of: 10.0.0.0/16. But still timed out.
答案1
得分: 1
RDS_SG 允许来自 0.0.0.0/0 的流量时连接正常工作,但不允许来自 Lambda_SG 时,这表明连接是建立到Amazon RDS实例的私有IP地址。如果是这样,安全组将无法识别传入连接来自Lambda_SG,因为流量已通过互联网而不是VPC对等连接从Lambda_VPC出去。
要确认这一点,您可以尝试在Lambda_VPC内解析RDS实例的DNS名称。
要解析它,您需要启用私有DNS解析。
>要使VPC在从对等VPC中的实例查询时能够将公共IPv4 DNS主机名解析为私有IPv4地址,必须修改现有的对等连接。
>
>两个VPC都必须启用DNS主机名和DNS解析。
>
>...
>
>为了确保来自对等VPC的查询解析为本地VPC中的私有IP地址,选择启用来自对等VPC的查询的DNS解析选项。此选项是请求者DNS解析或接收者DNS解析,具体取决于VPC是请求者还是接收者VPC。
一旦激活了这个选项,您的现有配置应该正常工作。
英文:
The fact that the connection works when RDS_SG allows incoming traffic from 0.0.0.0/0 but not from Lambda_SG suggests that the connection is being made to the Amazon RDS instance's private IP address. If so, then the Security Group will not recognise the incoming connection as coming from Lambda_SG because the traffic has gone out of Lambda_VPC via the Internet rather than the VPC Peering Connection.
To confirm this, you can attempt to resolve the RDS instance's DNS name within Lambda_VPC.
To resolve it, you will need to enable private DNS resolution.
From Enable DNS resolution for a VPC peering connection - Amazon Virtual Private Cloud:
>To enable a VPC to resolve public IPv4 DNS hostnames to private IPv4 addresses when queried from instances in the peer VPC, you must modify your existing peering connection.
>
>Both VPCs must be enabled for DNS hostnames and DNS resolution.
>
>...
>
>To ensure that queries from the peer VPC resolve to private IP addresses in your local VPC, choose the option to enable DNS resolution for queries from the peer VPC. This option is Requester DNS resolution or Accepter DNS resolution, depending on whether the VPC is the requester or accepter VPC.
Once this is activated, your existing configuration should work correctly.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论