how to connect to private RDS from localhost - amazon-ec2

I have a private VPC with private subnets a private jumpbox in 1 private subnet and my private RDS aurora MySql serverless instance in another private subnet.
I did those commands on my local laptop to try to connect to my RDS via port forwarding:
aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["5901"],"localPortNumber"=["9000"] --profile myProfile
aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["22"],"localPortNumber"=["9999"] --profile myProfile
aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["3306"],"localPortNumber"=["3306"] --profile myProfile
The connection to the server hangs.
I had this error on my local laptop:
Starting session with SessionId: myuser-09e5cd0206cc89542
Port 3306 opened for sessionId myuser-09e5cd0206cc89542.
Waiting for connections...
Connection accepted for session [myuser-09e5cd0206cc89542]
Connection to destination port failed, check SSM Agent logs.
and those errors in /var/log/amazon/ssm/errors.log:
2021-11-29 00:50:35 ERROR [handleServerConnections # port_mux.go.278] [ssm-session-worker] [myuser-017cfa9edxxxx] [DataBackend] [pluginName=Port] Unable to dial connection to server: dial tcp :3306: connect: connection refused
2021-11-29 14:13:07 ERROR [transferDataToMgs # port_mux.go.230] [ssm-session-worker] [myuser-09e5cdxxxxxx] [DataBackend] [pluginName=Port] Unable to read from connection: read unix #->/var/lib/amazon/ssm/session/3366606757_mux.sock: use of closed network connection
and I try to connect to RDS like this :
I even tried to put the RDS Endpoint using ssh Tunnel, but it doesn't work:
Are there any additional steps to do on the remote server ec2-instance?
It seems the connection is accepted but the connection to the destination port doesn't work.
Thank you for your help on this!!

The start-session command tunnels the port from the target EC2 instance to localhost. The RDS instance is on another host, so you must use SSH tunneling.
Send your public key to the EC2 instance. Fill in the region and availability zone parameters.
aws ec2-instance-connect send-ssh-public-key --region us-west-2 --instance-id i-0d5470040e7541ab9 --availability-zone us-west-2a --instance-os-user ec2-user --ssh-public-key file://~/.ssh/id_rsa.pub
Forward the SSH port 22 from the EC2 instance to 9999 locally.
aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["22"],"localPortNumber"=["9999"] --profile myProfile
SSH into the instance with tunneling (in another terminal). Fill in rds-instance-dns with the DNS of your RDS instance.
ssh ec2-user#localhost -L 6606:rds-instance-dns:3306 -i ~/.ssh/id_rsa -p 9999
Access RDS
mysql -h localhost -p 6606
You also need to ensure that your EC2 instance has the correct permissions to access the RDS instance by configuring the security group.

Related

discovery.seed_hosts in elasticsearch AWS EC2 with ELB

I have EC2 instances under an ELB. Whenever a new instance is started an ip address is assigned dynamically.
I have added the ELB DNS name, but it is referring the ip addresses from Network Interfaces tagged to the ELB. But I need to add the ec2 instance ip address.
So how do I add the new ip address in discovery.seed_hosts in elasticsearch without manual intervention?
Note:- I am looking for a way other than ec2 discovery plugin
I have used aws cli command to fetch the IP's from AWS ELB. Added the following script to my .sh file
export ELASTIC_INSTANCE_IPS=$(aws ec2 describe-instances --filters file://filters.json --query "Reservations[*].Instances[*].PrivateIpAddress" --region ${aws_region} --output text | paste -sd,)
tee -a elasticsearch.yml << END
discovery.seed_hosts: [$ELASTIC_INSTANCE_IPS]

How to get public ip of an EC2 instance from aws CLI by instance id?

I have an instance that I start through aws cli:
aws ec2 start-instances --instance-ids i-00112223333444445
Instance does not have a static public IP. How can I get instance public ip through CLI knowing the ID i-00112223333444445?
Try the following command:
aws ec2 describe-instances --instance-ids $instance_id \
--query 'Reservations[*].Instances[*].PublicIpAddress' \
--output text
If the EC2 instance has a public IP address, this command will return it.
Links:
Details about the query parameter can be found here.
Details about the describe-instances command can be found here.

How to create a VPC endpoint for autoscaling

We have our VPCs not directly connected to internet. So we need CLI --endpoint-url option to send commands to the custom VPC endpoints instead of standard AWS service endpoints
e.g.
aws sns publish --message $MESSAGE --target-arn $SNSTARGET --region $REGION --endpoint-url 'https://vpce-xxxx-xxxxx.sns.ap-southeast-1.vpce.amazonaws.com/'
For autoscaling though:
I can't find any vpc endpoint interface option and the EC2 endpoint is not accepted.
aws autoscaling complete-lifecycle-action --lifecycle-hook-name $LIFECYCLEHOOKNAME --auto-scaling-group-name $ASGNAME --lifecycle-action-result $HOOKRESULT --instance-id $INSTANCEID --region $REGION
Could not connect to the endpoint URL: https://autoscaling.ap-southeast-1.amazonaws.com/
If I try to use the closest endpoint i.e. EC2
aws autoscaling complete-lifecycle-action --lifecycle-hook-name $LIFECYCLEHOOKNAME --auto-scaling-group-name $ASGNAME --lifecycle-action-result $HOOKRESULT --instance-id $INSTANCEID --region $REGION --endpoint-url 'https://vpce-xxxx-xxx.ec2.ap-southeast-1.vpce.amazonaws.com/'
An error occurred (InvalidAction) when calling the CompleteLifecycleAction operation: The action CompleteLifecycleAction is not valid for this web service.
AWS will be adding EC2 autoscaling VPC endpoint in the coming weeks, the rumor is before Re:Invent.

Cloud9 AWS CLI - how to determine CIDR for security group?

I'm using Cloud9 IDE and AWS CLI to manage EC2 instances. I'm going through the AWS guidance on configuring security groups and trying to determine what CIDR I should use when creating a new security group (http://docs.aws.amazon.com/cli/latest/userguide/tutorial-ec2-ubuntu.html)
Here is the sample command from the guidance:
$ aws ec2 authorize-security-group-ingress --group-name devenv-sg --protocol tcp --port 22 --cidr 0.0.0.0/0
Thanks.

Script to attach and detach server from the load balancer in amazon aws

I am using the below Script to attach and detach the server from load balancer
#!/bin/bash
aws elb register-instances-with-load-balancer --load-balancer-name Load-BalancerLoadBalancer --instances i-a3f1446e
aws elb deregister-instances-from-load-balancer --load-balancer-name Load-BalancerLoadBalancer --instances i-a3f1446e
When I am running the script I am getting the error as below
Service elasticloadbalancing not available in region ap-southeast-1b
Service elasticloadbalancing not available in region ap-southeast-1b
Is there any changes I want to make the script working or Is there any alternate script to do the work.
The error says region ap-southeast-1b, but ap-southeast-1b is an Availability Zone, not a Region.
The Region should be ap-southeast-1.
Run aws configure and confirm that your Region is set correctly.
Seems your ELB is set in other regions, add --region in your command, for example, if the ELB is created at us-east-1:
aws elb register-instances-with-load-balancer --load-balancer-name Load-BalancerLoadBalancer --instances i-a3f1446e --region us-east-1
aws elb deregister-instances-from-load-balancer --load-balancer-name Load-BalancerLoadBalancer --instances i-a3f1446e --region us-east-1

Resources