我的安全组入站规则如下:
WebAccess
HTTP TCP 80 0.0.0.0/0
SSH TCP 22 0.0.0.0/0
和
数据库
MYSQL / Aurora TCP 3306 sg-0252186b(WebAccess)
我的实例设置如下:
实例1,Web服务器 - 安全组WebAccess
实例2,Web服务器 - 安全组WebAccess
实例3,数据库服务器 - 安全性 group DB
如果我的理解是正确的,任何人都应该能够在我的Web服务器上访问HTTP和SSH,并且只有WebAccess组的成员实例才能访问数据库服务器。但是,无法从Web服务器访问数据库服务器。
当我将3306规则更改为允许来自任何人的入站时,我可以正常访问它(也可以按照预期从本地计算机访问)。
请有人帮我理解我哪里出错了吗?
谢谢, 克里斯
答案 0 :(得分:0)
When you change the security-group to 0.0.0.0/0 and you are able to access the DB later on from your desktop that means your instance has been enabled for public access (i.e. having a public IP). When you connect to such a instance traffic leaves the subnet to the internet and comes back in. Because of that, the traffic no longer originates on your web instance but from the internet. You would need to use the web instances public IPs in that case.
Also please note, the way you have worded your question/comments, suggest you use the IP of the RDS instead of the hostname. This works if you use a single AZ RDS deployment. It won't work if you use multi-AZ or convert this RDS instance to multi-AZ (HA setup). The reason is, that during a failover AWS updates the DNS name to point to the new master. If your application is using an IP no fail over will occur.
Even worse: if you use an IP and single-AZ now but later decide to upgrade to a multi-AZ your application will continue to work until the first failover (most likely due to maintenance)