Access RDS from Elastic Beanstalk Instance in VPC

Question

I'm trying to configure access to our RDS from the instances in an Elastic Beanstalk environment.

The RDS and EB environment are in the same VPC.

The complication is that the security group for the EB instances is dynamically generated at environment creation time. I'm not sure how to configure the RDS security group to allow a dynamic security group.

I've tried using the CIDR for the VPC instead, but this doesn't seem to work.

Is there a recommended way to do this?

Answer 1

EC2 security groups can be used for more than just allowing incoming and outgoing traffic. They can also be used for pure identification of EC2 instances.

When creating an Elastic Beanstalk application, EB will always create a security group for the EC2 instances, but you can also add another security group to your EC2 instances.

Using these two pieces of information, you can do the following:

1. Create a security group for your EC2 instances. Don't give the security group any incoming or outgoing rules.
2. Allow this security group access to your RDS instance by adding a rule to your RDS security group allowing incoming connections on port 3306 for your security group.
3. When you create your EB application, when you're asked for a security group for your EC2 instances, select your security group. Alternatively, you can edit your already-existing EB application's configuration and add your security group to the list of security groups. It's a comma-separated list.

Once this is done, your EC2 instances should have access to your RDS instance.

---

As an aside, using a CIDR for your VPC in your RDS security group's incoming rule should work as well.