Elastic Beanstalk - how to configure access to the external RDS database

Posted on One min read

I used to configure ElasticBeanstalk access to the external RDS database by editing inbound rules for the security group attached to the database. This is inconvenient because there is always a risk of breaking something, especially if there are several environments accessing the database and we have multiple inbound rules.

A more convenient method is to use a “proxy” security group:

  • Create a new security group named rds-{database name}-access
  • Add this group to the RDS security group inbound rules, allowing access to the DB port (such as 5432 for PostgreSQL)
  • Add proxy group to the ElasticBeanstalk security groups

The convenience is that we do not have to edit security groups anymore, we just add the “proxy” group in environment settings.

This can be done in the UI, by ticking the checkbox in the list of security groups or by adding a config like this:

# Add to .ebextensions/app.config or as a separate *.config file 
option_settings:
  aws:autoscaling:launchconfiguration:
    # Add environment to security groups that allow DB access
    SecurityGroups:
    - rds-db-name-access
    - rds-another-db-name-access

Related documentation.

profile for Boris Serebrov on Stack Exchange, a network of free, community-driven Q&A sites
close
Download ()