相同的vPC,无法使用EC2 psql访问另一台主机的PostgreSQL

uqxowvwt  于 2022-09-19  发布在  PostgreSQL
关注(0)|答案(1)|浏览(127)

在同一个VPC中,我使用CDK创建了一个EC2,一个PostgreSQL。我将EC2设置为公共,将PostgreSQL设置为私有,并允许所有IP访问PostgreSQL默认端口,一切都准备好了,但无法从EC2使用psql telnet到PostgreSQL,有人知道问题所在,我是不是遗漏了什么?

Vpc vpc = new Vpc(this,"RDS-VPC",
                VpcProps.builder()
                        .natGateways(1).maxAzs(2).build());

        SecurityGroup ec2SG = new SecurityGroup(this,"EC2-SG", SecurityGroupProps.builder().vpc(vpc).allowAllOutbound(true).build());
        ec2SG.addIngressRule(Peer.ipv4("xxx.xxx.xxx.xxx/32"),Port.tcp(22),"The specified IP can be accessed");

        SecurityGroup rdsSg = new SecurityGroup(this,"RDS-SG", SecurityGroupProps.builder().vpc(vpc).allowAllOutbound(true).build());

        rdsSg.addIngressRule(Peer.anyIpv4(),Port.tcp(5432),"allow public ssh access");
        List<SecurityGroup> securityGroups  = new ArrayList<>();
        securityGroups.add(rdsSg);
 Instance Ec2Instace = new Instance(this,"ec2", InstanceProps.builder().vpc(vpc)
                .instanceType(InstanceType.of(InstanceClass.T3,InstanceSize.MEDIUM))
                .machineImage(MachineImage.latestAmazonLinux(AmazonLinuxImageProps.builder().generation(AmazonLinuxGeneration.AMAZON_LINUX_2).build()))
                .securityGroup(ec2SG)
                .vpcSubnets(SubnetSelection.builder().subnetType(SubnetType.PUBLIC).build())
                .keyName("keyname")
                .build());
Credentials credentials = Credentials.fromPassword("xxx", new SecretValue("xxxx"));

        SubnetGroup subnetGroup = new SubnetGroup(this,"postgresql", SubnetGroupProps.builder().vpcSubnets(SubnetSelection.builder().subnetType(SubnetType.PRIVATE_WITH_NAT).build()).build());
        DatabaseInstance databaseInstance = new DatabaseInstance(this,"postgresql",DatabaseInstanceProps.builder()
                .vpc(vpc)
                .deleteAutomatedBackups(true)
                .instanceType(InstanceType.of(InstanceClass.T3,InstanceSize.MICRO))
                .allocatedStorage(10)
                .credentials(credentials)
                .databaseName("xxxx")
                .securityGroups(securityGroups)
                .subnetGroup(subnetGroup)
                .publiclyAccessible(true)
                .engine(DatabaseInstanceEngine.postgres(PostgresInstanceEngineProps.builder().version(PostgresEngineVersion.VER_13).build()))
                .build());
63lcw9qa

63lcw9qa1#

将Eggress规则添加到0.0.0.0/0 CIDR的EC2安全组,以便EC2可以将流量发送到RDS并从Internet下载更新。

很高兴拥有:

1.将RDS的入口规则的anyIpv4替换为EC2安全组。您可以引用安全组,而不是IP CIDR。
1.将Eggress规则添加到0.0.0.0/0 CIDR的RDS安全组中,以便RDS可以从Internet下载更新。

这应该足够了。此外,您也没有显式配置路由表。也许这对你的案子来说不是必需的。

相关问题