Docker Community Forums

Share and learn in the Docker community.

What security group/IAM/other settings are needed for AWS RDS connections?

amazonwebservices

(Pukkasoftware) #1

Normally we would put an IP address on a security group for inbound postgres connections so our Docker stack can connect to RDS for the database service. Since we don’t control any of that, what’s the best way to allow inbound connections from Docker Cloud to AWS RDS?


(Michael Clifford) #2

Your Docker Cloud nodes will come up in a VPC and subnets which you are able to define. Ideally your RDS instance will allow inbound connections from subnets on the same VPC and all connections will happen in the private IP space and not over the public internet.

Example:

VPC: 172.0.30.0/16
RDS Subnet: 172.0.30.10/24
Docker Cloud Node Subnet: 172.0.30.80/24

In the above example, your RDS instance would need a security group that allowed connections from 172.0.30.80/24


(Pukkasoftware) #3

RDS didn’t give me a chance to define what VPC it wanted to use (at least that I can see). Is it possible to reconfigure it to belong to the same VPC as the docker VPC? Or is this set once at the outset?

I have managed to get them talking but it’s using the public endpoint with an inbound ruleset and I’d rather have it communicating privately like you suggest.


(Michael Clifford) #4

Unfortunately once you deploy your RDS instance you are anchored to that VPC. However, if you are able to put your service into maintenance mode you could restore a new RDS instance from a snapshot. When you create an RDS instance you are given the ability to choose what VPC and Subnet it resides on.

I highly recommend restructuring your setup and not communicating over the public endpoints.


(Pukkasoftware) #5

Thanks Michael, I followed your advice and spun up a new RDS instance in the docker-created VPC and I’ve got our environment up and running. My VPC is set to allow inbound postgres from within the security group so it seems like it’s all working.

Can I tack on a quick AWS-specific question? I can toggle “publicly accessible” on the RDS instance and then it’s available from anywhere - is this expected behavior if the RDS instance is in the VPC or should I have to further configure VPC VPN/gateway or something else? I think what I’m wondering is if the publicly accessible does in fact pierce the boundary of the VPC, how do I know the RDS instance isn’t communicating over the public endpoints or is otherwise when publicly accessible is disabled?


(Michael Clifford) #6

Excellent. Really glad to hear it worked out for you.

Regarding your 2nd question, AFAIK setting a RDS instance as publicly accessible should only work if the VPC subnet the instance is in communicates with the internet over an internet gateway. If the VPC has completely private routing or communicates through a NAT gateway without proper routing it shouldn’t work.


(Dusterio) #7

If developer uses several cloud providers, it’s obviously not possible to place all nodes within the same VPC.

I made a simple Go script that synchronises node public IPs with specified AWS security group so that, for instance, all your nodes (irrespective of cloud provider) can access AWS RDS. Public Docker image too!

Feel free to improve it :slight_smile: