I have an RDS running in Region/AZ us-east-1f and an EC2 (after a reset to generate a new private key) running in us-east-1a. The EC2 can’t reach the RDS and I think its because they’re in different AZ’s now. So I read this http://aws.amazon.com/premiumsupport/knowledge-center/move-ec2-instance/ on how to move the EC2. But when I try and execute the automated script/page the region field will only accept us-east-1 and not the letter after the 1. How do I tell the script to put the EC2 in us-east-1f (so it will be able to reach the RDS)? Thank you.
Update: I’m now focused on making sure both RDS and EC2 are in the same VPC. The RDS is in the rds-launch-wizard VPC, and the EC2 is in a VPC I created. In order to change the RDS VPC you need to create a new subnet but I get an error message in doing that saying I need to select multiple AZ. I do select multiple AZ but the error message persists with the same message. This is frustrating.
2
Answers
The answer to AZ/VPC/network changes in an EC2 is that you need to stop the EC2 instance, create a new image (AMI), and then launch that new AMI. In launching the new AMI you will have the opportunity to select the VPC/AZ/subnet/security group etc. In my case I had to set up a new set of inbound rules on the EC2 security group to allow SSH (port 22 only from my IP address) and HTTP (port 80) from all IPv4 addresses. And believe it or not, in the course of launching the new AMI an option appeared to "connect to an RDS" to which I agreed and my EC2 and RDS are now talking!
If it’s in the same VPC it can communicate across subnets. ( If it’s in a different VPC that would require peering or transit gateway and some routes).
I suspect your security group is at fault here. If you’re using a CIDR to allow access, you may have put in just one subnet’s CIDR into the allowed inbound rules on the rds security group. It’s better to create a security group for your RDS clients, alllow that client security group in your RDs security group ingress rules, and associate the client SG to instances that should access your RDS, that way IPs aren’t relevant and you have finer grained access.
if you’re RDS is not multi-AZ there’s little benefit to putting its client in a different AZ, and cross AZ traffic does incur a cost so putting your instance in us-east-1f makes sense.
Based on your shared link (https://us-east-1.console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-CopyEC2Instance?region=us-east-1) which should work for anyone once you’re logged into AWS, there’s an optional
SubnetIdparameter to the SSM action you’re running that can be used to place the instance.