Following this tutorial, I set up an Aurora PostgreSQL database. I then tried to access the database from my computer using pgAdmin. However, pgAdmin gives the error: "Unable to connect to server: timeout expired"
I have tried the following things:
Ensured that the database is set to be publicly accessible
Verified that the database has an IP address (I ran nslookup on my local machine, and it returned a public IP address).
Verified that the database is in a public subnet (it is launched in two subnets, one of which is a public subnet with an Elastic IP address and one of which is a private subnet which directs traffic to a NAT gateway)
Ensured that my database is configured to use port 5432
Modified the security group to add inbound rules allowing TCP traffic on port 5432 from any IPv4 or IPv6 address
Ensured that I can send outbound traffic on port 5432 from my computer using this site
It looks like you have deployed the Aurora DB cluster into two subnets of a VPC and the problem is that one subnet is public, while the other is private. I suspect the DB will be accessible publicly as long as the public DNS resolves to the DB instance in the public subnet, but will be unreachable when it resolves to the instance in the private subnet (though I have not verified this).
To correct this and make the cluster publicly accessible, deploy the DB into public subnets only.
Related
When creating MySQL Flexible Server (DBaaS) on Azure that is not publicly accessible a private DNS zone is being created making that MySQL Flexible Server accessible via a hostname. While debugging why I'm able to connect to MySQL Flexible Server from a jumpbox VM, but not when using Virtual Network Gateway - Point to site connection - OpenVPN, I've discovered that the DNS zone has a private IP:
I'm able to connect to MySQL Server using this IP from both jumpbox VM and from local computer using point-to-site OpenVPN.
What is that IP? Since connecting to MySQL via IP is easier than setting up Private DNS zone and connecting via hostname, why this IP is not documented? Can we use it in production?
Wondering if you have custom DNS forwarder setup as shared below
https://learn.microsoft.com/azure/mysql/flexible-server/concepts-networking-vnet#connecting-from-on-premises-to-flexible-server-in-virtual-network-using-expressroute-or-vpn
I have a private subnet in VNet 1 with Network Security Group only allowing inbound traffic from a specific private IP CIDR. This subnet hosts Azure Database for PostgreSQL with a server name.
I also have a public subnet in a different VNet (VNet2) that hosts a standard VM.
I have done VNet peering to connect the two and they don't overlap the address spaces. I have also whitelisted the Private IP of the VM (in VNet2) in the NSG of Private subnet in VNet 1 but I cannot ping the PostgreSQL DB from my VM. It says:
ping: mydb-dev.postgres.database.azure.com: Name or service not known
Both VNets are in same subscription and same region
Things to be notice.
You can't ping directly with server name ping mydb-dev.postgres.database.azure.com. Because this domain/server name is not registered in any public or private DNS Zone. If you want to ping with Server name your domain should be registered in DNS record.
Another more imortant things is you need to open port default PostgreSQL port is 5432 at both the Vnet for inbound and outbound level.
you are able to ping when your deploying both the resource in one VNEt.So By default, there is no security boundary between subnets for a VNet, so VMs in each of these subnets can talk to one another.
Can anyone help me to figure out database connection issue from Lambda to MognoDB (running on EC2, ubuntu machine)
I have following scenario -
Installed and running MongoDB on EC2 (it is in default VPC)
Enable port 27017 for private IP of API EC2
Enable port 27017 for SECURITY_GROUP, like this -
Deployed Lambda function within default VPC and the same security group as assigned to MongoDB EC2 server.
With above situation my Lamda function is not able to connect with MongoDB EC2 server, however if I open the PORT 27017 globally, then it is working fine.
Can anyone help please?
Given that the Lambda function and MongoDB instance have the same security group, you should:
ensure that the security group allows traffic inbound from itself
your DB client connects to the private IP of the DB server (or resolves its DNS name using the VPC DNS resolver, which will yield the private IP) rather than its public IP
I have a VM instance (e2-micro) on GCP running with postgres. I added my own external ip address to pg_hba.conf so I can connect to the database on my local machine. Next to that I have a nodeJS application which I want to connect to that database. Locally that works, the application can connect to the database on the VM instance. But when I deploy the app to GCP I get a 500 Server Error when I try to visit the page in the browser.
These are the things I already did/tried:
Created a Firewall rule to allow connections on my own external ip address
Created a VPC connector and added that connector to my app.yaml
Made sure everything is in the same project and region (europe-west1)
If I allow all ip addresses on my VM instance with 0.0.0.0/0 then App Engine can connect, so my guess is that I'm doing something wrong the connector? I use 10.8.0.0/28 as ip range while the internal ip address of the VM instance is 10.132.0.2, is that an issue? I tried an ip range with 10.0.0.0 but that also didn't work.
First check if your app uses a /28 IP address range (see the documentation):
When you create a connector, you also assign it an IP range. Traffic
sent through the connector into your VPC network will originate from
an address in this range. The IP range must be a CIDR /28 range that
is not already reserved in your VPC network.
When you create a VPC connector a proper firewall rulle is also created to allow traffic:
An implicit firewall rule with priority 1000 is created on your VPC
network to allow ingress from the connector's IP range to all
destinations in the network.
As you wrote yourself when you create a rule that allows traffic from any IP it works (your app can connect). So - look for the rule that allows traffic from the IP range that your app is in - if it's not there create it.
Or - you can connect your app to your DB over public IP's - in such case you also have to create a proper rule that will allow the traffic from the app to DB.
Second - check the IP of the DB that app uses.
My guess is that you didn't change the IP of the DB (that app uses) and it tries to connect not via VPC connector but via external IP and that's why it cannot (and works only when you create a firewall rule).
This answer pointed me in the right direction: https://stackoverflow.com/a/64161504/3323605.
I needed to deploy my app with
gcloud beta app deploy
since the VPC connector method was on beta. Also, I tried to connect to the external IP in my app.yaml but that needed to be the internal IP ofcourse.
I'm trying to access a private RDS Instance from a different VPC using a Peering Connection. I have two VPCs:
VPC-K8S (172.20.0.0/16) with one public subnet
VPC-RDS (172.17.0.0/16) with one public subnet (172.17.0.0/24) and 3 private subnets (172.17.{1,2,3}.0/24)
VPC-RDS has 2 security groups (not actual names):
default, which accepts SSH from my IP
db, which accepts TCP over port 5432 from the default security group.
I deploy my DB instances in VPC-RDS after creating a DB Subnet Group in the private subnets, and configure it to not be publicly accessible. To access it from my workstation, I create a small instance in the public subnet of VPC-RDS with the default security group, and create an SSH tunnel:
ssh -L 5432:rds-host-name.us-east-1.rds.amazonaws.com:5432 -i "KeyName.pem" ec2-user#ec2-host-name.compute-1.amazonaws.com
I can access the RDS from my workstation via localhost.
I want to be able to access my RDS instance from my Kubernetes cluster (VPC-K8S). I set up a peering connection between the two, and configure the route tables appropriately (in VPC-K8S: 172.17.0.0/16 -> pcx-112233; VPC-RDS: 172.20.0.0/16 -> pcx-112233)
I cannot connect to RDS from one of my K8S nodes, or any instance in the K8S VPC. I suspected that it had something to do with the db security group, but even when I opened port 5432 to all IPs (0.0.0.0/0) it didn't help.
Any ideas how to do this, or is this only possible via a publicly accessible RDS instance or a Bastion host that is in VPC-RDS and the default SG?
Stupid oversight, but I'll leave this up if it helps anyone.
My private subnets in VPC-RDS use a different route table than the public subnet. This is done so that internet addresses (for the catch all rule 0.0.0.0/0) point to the NAT gateway as opposed to the internet gateway in the public subnet.
I added a rule to the private subnets' route table for the peering connection (172.20.0.0/16 -> pcx-112233), and then configured the db security group to accept TCP traffic on port 5432 from 172.20.0.0/16.