Five me as I'm not an AWS Pro here.

I've been trying to use RDS within a VPC, with the public IP enabled, and for some reason I can't figure out why one VPC (prod) has issues, whereas the other (non-prod) works just fine. I set up non-prod a few months ago, and don't recall anything fancy I did -- there are no network firewalls within this tenant either.

Similarities:

• Both envs have RDS with public IP enabled
• Security Group for RDS instance has port 5432 open (and/or all ports) on both.
• All subnets on the VPCs have internet gateways fully open, not that it should affect inbound traffic...

Differences:

• Different VPCs

I was looking to do some sort of logging for the VPC, as answered in this question, but I don't think it's showing up, potentially because the RDS instance has a public IP which bypasses traveling within the VPC?

----

So, my questions:

(1) is my assumption about public IP correct, and this wouldn't show up in the cloudwatch logs due to that?

(2) are there any other things I could check in terms of logs?

• I have checked database logs, but there is nothing. And when trying to connect I get a 'connection timeout expired' both from pgadmin4 as well as telnet on port 5432
• Could it be delayed? I know network changes are a pain in the butt from Azure, but last time I did this in AWS it was near instant. And at this point, it's been hours since the secgroup port traffic allow change.

Any tips appreciated!
---

I've tried VPC logs, checking database logs, opening public traffic on the prod security groups...

Publicly accessing AWS RDS from outside VPC seems to have some promise, but this smells like it may have been doing this same thing before the "public" checkbox in RDS...

Five me as I'm not an AWS Pro here.

I've been trying to use RDS within a VPC, with the public IP enabled, and for some reason I can't figure out why one VPC (prod) has issues, whereas the other (non-prod) works just fine. I set up non-prod a few months ago, and don't recall anything fancy I did -- there are no network firewalls within this tenant either.

Similarities:

• Both envs have RDS with public IP enabled
• Security Group for RDS instance has port 5432 open (and/or all ports) on both.
• All subnets on the VPCs have internet gateways fully open, not that it should affect inbound traffic...

Differences:

• Different VPCs

I was looking to do some sort of logging for the VPC, as answered in this question, but I don't think it's showing up, potentially because the RDS instance has a public IP which bypasses traveling within the VPC?

----

So, my questions:

(1) is my assumption about public IP correct, and this wouldn't show up in the cloudwatch logs due to that?

(2) are there any other things I could check in terms of logs?

• I have checked database logs, but there is nothing. And when trying to connect I get a 'connection timeout expired' both from pgadmin4 as well as telnet on port 5432
• Could it be delayed? I know network changes are a pain in the butt from Azure, but last time I did this in AWS it was near instant. And at this point, it's been hours since the secgroup port traffic allow change.

Any tips appreciated!
---

I've tried VPC logs, checking database logs, opening public traffic on the prod security groups...

Publicly accessing AWS RDS from outside VPC seems to have some promise, but this smells like it may have been doing this same thing before the "public" checkbox in RDS...

• amazon-web-services
• network-programming
• amazon-rds
• amazon-vpc
• aws-security-group

• "All subnets on the VPCs have internet gateways fully open, not that it should affect inbound traffic". That actually does affect inbound traffic. An Internet Gateway handles both inbound and outbound Internet traffic. Without a route to an Internet Gateway, inbound traffic from the Internet will not be able to reach resources in the subnet. – Mark B Commented 2 days ago
• Do you have any non-default Network ACL rules defined in any of the subnets of your VPC? – Mark B Commented 2 days ago
• Just to clarify things... Are you saying that you want to be able to access the RDS database from the Internet? Is the RDS database set to Publicly accessible = Yes? What is the configuration of the Inbound rules on the Security Group associated with the RDS database (please Edit your Question to show them)? Does the Subnet Group associated with the RDS database contain only Public Subnets (defined as the subnet having a Route Table entry pointing to an Internet Gateway) or does it also contain Private Subnets? These are the topics you should focus on rather than Flow Logs. – John Rotenstein Commented 2 days ago
• Sample successful configuration shown here: postgresql - RDS postgres instance not accessible when cidr in vpc different than default 10.0.0.0 - Stack Overflow – John Rotenstein Commented 2 days ago

1 Answer 1

(1) is my assumption about public IP correct, and this wouldn't show up in the cloudwatch logs due to that?

No, your assumption is wrong. If you capture all (rejected and accepted) traffic then traffic to and from your public IP entering and leaving your VPC will be logged.

(2) are there any other things I could check in terms of logs?

Nothing springs to mind - your VPC flow logs are key here and should tell you where to look next.