11

I have an Amazon RDS instance set up in the 'classic' EC2 (no VPC.)

I also have a VPC set up that holds our newer, migrated applications and such.

However, it would seem that there is no way to specify a combination of either CIDR or EC2 security groups in the DB Security Groups that will allow my VPC instances to connect. The allowed security groups are only the 'classic' security groups.

I cannot find any documentation that suggests this is not doable, but I cannot find any documentation in the affirmative, either. Googling lands on a lot of results the 'other way', e.g. RDS instances in VPC and instances in EC2. I have the opposite problem.

Am I looking at a point-in-time restore to a new instance(s) in VPC to get connectivity to work? I understand I can maintain a public availability requirement that I have, but I would like to simply allow my VPC instances to connect for the time being.

Sam Halicke
  • 6,122
  • 1
  • 24
  • 35

2 Answers2

7

If your VPC EC2 instances are in private subnets, then to access EC2-Classic, your VPC will need a NAT. Give your NAT an elastic IP address so it's a constant public IP address.

Then in your RDS security group, allow access only for that Elastic IP address.

If your VPC EC2 instances are in public subnets, then you could give each of them elastic IP addresses and allow access to only those IP addresses in your RDS security group. This is more difficult if they are part of auto-scaling groups.

Matt Houser
  • 9,709
  • 1
  • 26
  • 25
  • How much would this traffic be susceptible to sniffing (asking how it would be routed given the public ip address)? – Itai Frenkel Jul 24 '15 at 04:18
1

What I would consider doing is migrating the server to a newer EC2 instance by creating a AMI and relaunching the machine in your VPC.

Alternatively can you attach a VPC to the old instance? if so you can make use of AWS's "Peering Connection" http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-overview.html

Xavier Hutchinson
  • 242
  • 4
  • 11