Accessing RDS from within a Docker container not getting through security group?

Question

I\'m attempting to run a webserver that uses an RDS database with EC2 inside a docker container.

I\'ve setup the security groups so the EC2 host\'s role is allowed

Answer 1

Yes, containers do hit the public IPs of RDS. But you do not need to tune low-level Docker options to allow your containers to talk to RDS. The ECS cluster and the RDS instance have to be in the same VPC and then access can be configured through security groups. The easiest way to do this is to:

1. Navigate to the RDS instances page
2. Select the DB instance and drill in to see details
3. Click on the security group id
4. Navigate over to the Inbound tab and choose Edit
5. And ensure there is a rule of type MySQL/Aurora with source Custom
6. When entering the custom source, just start typing in the name of the ECS cluster and the security group name will be auto-completed for you

This tutorial has screenshots that illustrate where to go.

Full disclosure: This tutorial features containers from Bitnami and I work for Bitnami. However the thoughts expressed here are my own and not the opinion of Bitnami.

Answer 2

As @adamneilson mentions, setting the Docker options are your best bet. Here is how to discover your Amazon DNS server on the VPC. Also the section Enabling Docker Debug Output in the Amazon EC2 Container Service Developer Guide Troubleshooting mentions where the Docker options file is.

Assuming you are running a VPC block of 10.0.0.0/24 the DNS would be 10.0.0.2.

For CentOS, Red Hat and Amazon:

sed -i -r 's/(^OPTIONS=\")/\1--dns 10.0.0.2 /g' /etc/sysconfig/docker

For Ubuntu and Debian:

sed -i -r 's/(^OPTIONS=\")/\1--dns 10.0.0.2 /g' /etc/default/docker

Answer 3

The inbound rule for the RDS should be set to the private IP of the EC2 instance rather than the public IPv4.

Answer 4

When I tried to connect to AWS RDS in inside of docker container, I got "Access denied for user 'username'@'xxx.xx.xxx.x' (using password: YES)" error. To solve this issue, I did below two ways:

1. I created new user and assigned grant.

   $ CREATE USER 'newuser'@'%' IDENTIFIED BY 'password';
   $ GRANT ALL ON newuser@'%' IDENTIFIED BY  'password';
   $ FLUSH PRIVILEGES;
   

2. Added global DNS address 8.8.8.8 into docker container when run docker, so that the docker container can resolve IP address of AWS RDS from domain name.

   $ docker run --name backend-app --dns=8.8.8.8 -p 8000:8000 -d backend-app
   

Then I connected from inside of docker container to AWS RDS, successfully.

• Note: Firstly, I tried second way. But I didn't solve the connection problem. When I tried both two ways, I was success.

Answer 5

Figured out what was happening, posting here in case it helps anyone else.

Requests from within the container were hitting the public ip of the RDS rather than the private (which is how the security groups work). It looks like the DNS inside the docker container was using the 8.8.8.8 google dns and that wouldn't do the AWS black magic of turning the rds endpoint into the private ip.

So for instance:

DOCKER_OPTS="--dns 10.0.0.2 -H tcp://127.0.0.1:4243 -H unix:///var/run/docker.sock -g /mnt/docker"