Why can't I connect AWS RDS instance from EC2 instance in another VPC after peering

amazon-web-services amazon-ec2 amazon-rds amazon-vpc
ddd picture ddd · Sep 20, 2017 · Viewed 9.5k times · Source

I am running Tableau Server on our EC2 instance in VPC A. Meanwhile, I created a postgres RDS in another VPC B. Now I want to establish the connection between the Tableau Server and RDS. CIDR of RDS VPC is 172.31.0.0/16 and that of EC2 VPC is 10.0.0.0/16.

According to A DB Instance in a VPC Accessed by an EC2 Instance in a Different VPC, I created peering between VPC A and VPC B, pcx-xyz123. Besides, I also created the following route tables for the VPCs.

RDS VPC
Destination      Target
172.31.0.0/16    local
10.0.0.0/16      pcx-xyz123

EC2 VPC
Destination      Target
10.0.0.0/16      local
172.31.0.0/16    pcx-xyz123

Both route tables are main. Each has 0 Subnets though (not sure if this matters).

However I still can't connect RDS from Tableau Server.

The two instances are created by same account. They are both listed under US East(Ohio). So I assume they are in the same region. Plus both have us-east-2 in their hostnames. From my PC, I can connect to RDS with psql command or pgAdmin.

Why can't I connect the two instances?

EDIT: I've created another EC2 Linux instance within the same subnet of the same VPC as the Tableau Server just for debugging purposes. I configured the peering and route table same way and also associate the subnets to the route tables. However, I still can't connect to RDS on the EC2 Linux instance.

Answer

John Rotenstein picture John Rotenstein · Sep 20, 2017

VPC Peering works much the same way as how Public Subnets connect to the Internet Gateway -- the Route Tables define how traffic goes in/out of the Subnets.

For VPC Peering to work:

  • Invite & Accept the peering connection (Done)
  • Create a Route table in each VPC that points to the Peering connection for the other VPC's IP range (Done)
  • Associate each subnet that you want able to peer to the Route Table
  • Alternatively, edit existing route tables to include the peering entry
  • If your RDS database is public, and you are attempting to connect using the public DNS of the database, then you will need to edit the DNS settings of your peering connection to allow DNS resolution.

The routing works as follows:

  • When traffic leaves a subnet, the Route Table is consulted to determine where to send the traffic
  • The most restrictive (eg /24) is evaluated first, through to the least restrictive (eg /0)
  • The traffic is routed according to the appropriate Route Table entry

This means that you can configure some of the subnets to peer, rather than having to include all of them. Traditionally, it is the Private subnets that peer and possibly only specific Private subnets -- but that is totally your choice.

Think of it as directions on a roadmap, telling traffic where it should be directed.

Related questions

ERROR 2005 (HY000): Unknown MySQL server host in aws

I have created an e-commerce site in angular js. And I need to host the same in amazon web service. So inorder to host the same I created an ec2 instance first. Now after that added an rds instance with …

Read More
MySQL/Amazon RDS error: "you do not have SUPER privileges..."

I'm attempting to copy my mysql database from an Amazon EC2 to an RDS: I successfully did a mysqldump of my database into my root folder using this: root@ip-xx-xx-xx-xx:~# mysqldump my_database -u my_username -p > my_database.…

Read More
How to export database from Amazon RDS MySQL instance to local instance?

AWS documentation has this page that talks about importing and exporting data from MySQL server, but it's mostly about import. The only thing I see in their documentation is a way to export 5.6 data using replication, which is documented here. …

Read More