3

I had set up a Client VPN Endpoint (Client CIDR 10.0.132.0/22), with associations to two private subnets (10.0.2.0/24 and 10.0.3.0/24), using one security group. I also have a RDS Database using the same two subnets and the same security group. The security group has an inbound rule that allows all traffic from the same security group.

I'm able to connect to the VPN, but when I try to connect to mysql it doesn't resolve the host.

I thought it could be DNS but from EC2 I looked up for the private IP of the database (10.0.2.X), then I tried to connect using the IP and it didn't work either.

Then I thought it could be something in the security group and I added an inbound rule accepting all traffic from anywhere but still not being able to connect.

I can access the RDS from an EC2 instance, that means RDS works fine and it doesn't sound like a security group problem.

I think the issue can come from the VPN. I can connect to the VPN correctly and I can see the connection in AWS console (Client IP 10.0.132.X).

Extra info:

VPN:

enter image description here

Associations:

enter image description here

Authorization:

enter image description here

Route Table:

enter image description here

Any help?

Thanks

Leandro
  • 870
  • 2
  • 13
  • 27
  • The issue is specific to RDS only? Can you access an instance in same subnet as your rds through VPN, or some other AWS service (e.g. interface endpoint to something)? – Marcin Apr 11 '21 at 23:47
  • I guess it will not work either, I tried to connect to a private ec2 ip with no success – Leandro Apr 12 '21 at 00:41
  • So it seems its VPN issue. You would have to update your question with exact details of your setup of VPC and VPN? route tables? What VPN? Is it Site-to-Site AWS vpn? – Marcin Apr 12 '21 at 00:49
  • It's AWS Client VPN connection, not site-to-site. I'm gonna update the post with more information. – Leandro Apr 12 '21 at 02:02

1 Answers1

2

I found out what was wrong. I had two wrong things. First I included split tunnel and removed the two route tables (0.0.0.0/0) so only VPN (10.0.0.0/16) traffic will go over the VPN. Second I added a DNS suggested in many places that is the VPC CIDR +2 (example 10.0.0.2)

Leandro
  • 870
  • 2
  • 13
  • 27
  • Looks like AWS VPN Client doesn't use VPC DNS unless you specify it. You must specify VPC CIDR +2 (example 10.0.0.2) in the VPN Endpoint settings. – Edward Olamisan Mar 03 '23 at 20:35