8

I have 2 Aws RDS instances,(Run on Postgresql). Both are on Different accounts and different regions. I want to set up data replication between them, using AWS DMS. I tried doing VPC peering. I saw the following video to enable VPC peering :-

https://www.youtube.com/watch?v=KmCEFGDTb8U

The Problem:- When I try creating the AWS DMS service, I add the Hostname, Username and Password, etc for the source(Which exists on the other account), and when I hit Test Connection, I get the following error.

Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to connect Network error has occurred, Application-Detailed-Message: RetCode: SQL_ERROR SqlState: 08001 NativeError: 101 Message: [unixODBC]timeout expired ODBC general error.

To my surprise, I get a similar error when I hit the Test Connection for the Target RDS instance, which is in the same account. i.e.:-

Test Endpoint failed: Application-Status: 1020912, Application-Message: Cannot connect to ODBC provider Network error has occurred, Application-Detailed-Message: RetCode: SQL_ERROR SqlState: 08001 NativeError: 101 Message: [unixODBC]timeout expired ODBC general error.

Google suggests that we are having some sort of Firewall, but looking at the NACLs I can see we allow 0.0.0.0/0 for both the VPC's.

Vzzarr
  • 4,600
  • 2
  • 43
  • 80
user124665
  • 97
  • 1
  • 9

3 Answers3

2

If you're attempting to access the private IP ranges in one IP from another IP, in addition to creating the VPC Peering connections, you'll have to:

  • create route table entries in both VPCs to route traffic to the remote VPC's IP range(s) through the Peering Connection,
  • allow connections within the security groups, both from the source CIDR range in the destination security group, and, if you're filtering outgoing connections from the source, also in it's outbound rules. Note that you can't use Security Group Id to allow this traffic because it doesn't apply to cross region peering;
  • allow the connection in the underyling software ( probably allowed by default ),
  • allow the network ACL to pass the traffic ( you've verified that's also allowed by default)

Since you're seeing timeouts, I'd suspect the security group rules. But, it could also be a bad route.

erik258
  • 14,701
  • 2
  • 25
  • 31
0

As suggested here https://aws.amazon.com/premiumsupport/knowledge-center/dms-endpoint-connectivity-failures/

When modifying the Replication Instance used to test connection to the Endpoint, take note of:

  1. Private IP Address
  2. VPC Security Group

Either change the Security Group to a suitable one or edit the Security Group being used adding an Inbound Rule to allow PostgreSQL traffic Type from the Private IP Address of the Replication Instance.

Vzzarr
  • 4,600
  • 2
  • 43
  • 80
0

The below solution worked for me.

  1. Create replication instance, then endpoints.
  2. If the test endpoints fails - then ensure to pick up the private IP from the instance(if DMS replication instance and the DB are located within the same VPC) and add it to the inbound rules of the corresponding security ID.
  3. If the VPC's are in different region, you might need VPC Peering to get this sorted.

Since I had both running in the same VPC, adding the private IP to inbound rules worked fine and the connection is successful.

Harshavignesh Mathan
  • 1
  • 2