在AWS Cloudformation中创建可公开访问的RDS实例

时间:2017-07-24 00:35:00

标签: amazon-web-services amazon-rds amazon-cloudformation amazon-vpc

我完全放弃了这一手。我一直在尝试使用CloudFormation创建可公开访问的RDS实例。我希望能够通过mysql客户端连接到我的实例。当我部署此堆栈时,它表示该实例可在RDS控制台中公开访问,但我无法通过RDS控制台中提供的端点进行连接。我猜测我搞砸了/错过了VPC的东西。他是我的stack.yaml文件:

Resources:
  Vpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: 'VPC created by cf'
  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
      - Key: Name
        Value: Created By CF
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref Vpc
      InternetGatewayId: !Ref InternetGateway
  DataSourceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Open database for access
      VpcId: !Ref Vpc
  DSSGIngressRule:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      FromPort: "3306"
      ToPort: "3306"
      GroupId: !Ref DataSourceSecurityGroup
      IpProtocol: tcp
      SourceSecurityGroupId: !Ref DataSourceSecurityGroup
  PublicSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-1a
      CidrBlock: 10.0.0.0/20
      MapPublicIpOnLaunch: true
      VpcId: !Ref Vpc
  PublicSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-1b
      CidrBlock: 10.0.16.0/20
      MapPublicIpOnLaunch: true
      VpcId: !Ref Vpc
  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref Vpc
      Tags:
      - Key: Name
        Value: 'RouteTable created by CF'
  RouteTable1Association:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet1
      RouteTableId: !Ref RouteTable
  RouteTable2Association:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet2
      RouteTableId: !Ref RouteTable
  InternetRouteRule:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  DataSourceSubtNetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
      DBSubnetGroupDescription: Created by CF
      SubnetIds:
        - !Ref PublicSubnet1
        - !Ref PublicSubnet2
  DataSource:
    Type: AWS::RDS::DBInstance
    Properties:
      AllocatedStorage: '5'
      DBInstanceClass: db.m1.small
      DBName: MyDb
      DBSubnetGroupName: !Ref DataSourceSubtNetGroup
      Engine: MySQL
      MasterUsername: AdminUser
      MasterUserPassword: AdminPassword
      PubliclyAccessible: true
      VPCSecurityGroups:
        - !Ref DataSourceSecurityGroup
    DeletionPolicy: Snapshot

由于

1 个答案:

答案 0 :(得分:4)

您的 DataSourceSecurityGroup 安全组目前配置为:

  • 允许来自安全组 DataSourceSecurityGroup
    • 的端口3306上的受限连接

也就是说,它将允许来自任何本身是DataSourceSecurityGroup安全组成员的Amazon EC2实例的入站连接。

如果您想允许从互联网上的任何地方进行访问,请更改您的模板以允许0.0.0.0/0的入站访问:

  DSSGIngressRule:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      FromPort: "3306"
      ToPort: "3306"
      GroupId: !Ref DataSourceSecurityGroup
      IpProtocol: tcp
      CidrIp: 0.0.0.0/0

我做了这个更改,测试了你的模板并且工作正常。

供将来参考:您可以通过创建堆栈然后检查管理控制台中的安全组来调试此类事物。

相关问题
最新问题