AWS: Restrict external access to Database but allow ECS task to access

user631845

7/27/23, 7:33 AM

I'm not great at network administration so I need some help to do something really basic on AWS. Basically, I have a RDS database on a vpc, let's call it VPC1. The database is also associated with VPC security group "Default: sg1"

I have a API server that needs to access the Database running as a docker image (service) using ECS. This API server is associated with a load balancer on the same VPC ID VPC1. The task has external IP XXX.XXX.XXX.XXX and internal IP YYY.YYY.YYY.YYY

All I want to do is allow the ECS service to access the database, but disable all other external access.

I've tried the following:

add the private IP to the inbound SG rule
add the public IP to the inbound SG rule
Add the security group of the network the task is part of to the SG rule The protocol, for testing, is set to "all"

None of these seem to work. What am I missing here?

0 + 0

amazon-web-services

Score:1

Server

Tim

7/27/23, 8:23 AM

I typically do this with security group references rather than IPs. Make sure each resource (DB, ECS) is assigned a security group that isn't used for anything else - ie not the default SG. Default works but it's not good practice and it's more difficult to keep track of.

You need to put in matching security group rules to allow traffic out from ECS to the DB, and into the DB from ECS:

ECS SG: allow outbound connectivity to the DB SG on the required port.
DB SG: allow inbound connectivity from the DB SG on the required port.

Since security groups are stateful you don't need to allow incoming into ECS or outgoing from DB.

If for some reason you need to do this with IPs make sure you use private IPs rather than public. In AWS public IPs are only translated in the internet gateway, they're not used within the VPC.

0 + 0

user631845

7/28/23, 1:49 AM

Yes, this appears to have been the best and most pain free solution. Thank you kindly.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AWS: Restrict external access to Database but allow ECS task to access

TH: AWS: จำกัดการเข้าถึงฐานข้อมูลจากภายนอก แต่อนุญาตให้งาน ECS เข้าถึงได้

RO: AWS: restricționați accesul extern la baza de date, dar permiteți accesul sarcinii ECS

RU: AWS: ограничить внешний доступ к базе данных, но разрешить доступ задаче ECS

VI: AWS: Hạn chế quyền truy cập bên ngoài vào Cơ sở dữ liệu nhưng cho phép tác vụ ECS truy cập

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.