Question 19039 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Connect to RDS through VPC Peering – Amazon Web Sevices

I am trying to connect to an RDS Instance from my local machine through a VPC Peering connection. In my AWS Account I have two VPCs: VPC1 is connected to my local network via DirectConnect, VPC2 isn’t. VPC2 contains all of my infrastructure and the idea is that if I want to connect to that infrastructure from my local machine I need to work through VPC1.

I have configured a route in the peering connection to forward IP based requests to VPC2 for a given address range. This doesn’t really help me for RDS though because I don’t know what the IP Address for RDS is, only the endpoint. I am guessing that there is some combination of DNS/Routing/Networking/Peering that will solve this problem but I haven’t found any documentation that describes how to solve this issue.

Has anyone solved this issue before, or know of any documentation that describes what needs to be done?

Update:
The exact problem is that I can’t connect to the RDS instance from my local machine. For example, if I use the RDS Endpoint as the server for my connection, the Sql Client I am using simply can’t connect with a timeout error. My suspicion is that traffic is not being routed to VPC2 correctly but I don’t know how to prove that.

As far as DNS goes, I am not sure how OnPrem is setup however I have 4 hosted zones in Route53 with a variety of URLs. Items that I setup in Route53 I am able to resolve by host name on my local.

Likewise, I am not sure how the network has been configured with DirectConnect (full VPN tunnel or otherwise).

As far as DNS and the network connections between AWS go though, that stuff works. I am able to resolve pieces of infrastructure in VPC1 fine I just (seemingly) can’t get traffic to move across the Peering Connection in the way that I would expect.

Tags:

2

Answers


  1. 0

    Sorry for the Japanese material.

    I think VPC1 and VPC2 cannot communicate even if you configure routing. So as long as communication is impossible, configuring DNS will not accomplish the goal, I guess.

    AWS Solutions Architect ブログ: VPC Peeringの使いどころとTips等々

    VPC Peering provides peering, not routing between multiple VPCs, so if you are peering 3 or more VPCs or connecting to locations outside of AWS via VPN or DirectConnect, even if you set the Routing Table appropriately for each, there will be no IP layer routing to networks more than 2 hops away. Even if you configure the Routing Table appropriately, there will be no IP layer routing to networks more than 2 hops away. Workarounds such as using proxies or stepping stones are required as before.

    Translated with http://www.DeepL.com/Translator (free version)

    Could PrivateLink help you achieve your goal?

    AWS-40_AWS_Summit_Online_2020_NET01.pdf

    Along the example on page 42:

    local network –> Direct Connect –> VPC Endpoint (in VPC1) –> NLB (in VPC2) –> RDS (in VPC2)

    Login or Signup to reply.
  2. 0

    I think the problem is that you think you can access vpc2 resources from on-prem just b/c you have direct connect to vpc1. What vpc-peering is giving you is access from vpc1 to vpc2 via private ip addresses. In your case you want vpc1 to act like a router to just transit your request from on-prem to vpc2. It does not work that way.

    What are your options:

    • You could have a host vpc1 access vpc2 (like a bastion host) and you could ssh into that one first.
    • If possible, you can create a vpn connection from on-prem to vpc2.
    • And there are more complex solutions via transit gateway.

    The doc here talks about vpc-peering limitations, it will basically explain that transitive connections like you want won’t work: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html

    AWS scenario documentation to reach db mentions option 1 here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.Scenarios.html

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search