1

My connection handshake times out when trying to connect to my RDS Aurora Serverless (v1) MySQL Cluster from an external source.

I'm specifying the cluster and its security group in terraform, and leveraging the default AWS VPC for the account/region.

Parameters for my cluster:

                cluster_identifier = "some-cluster-name",
                engine = "aurora-mysql",
                engine_mode = "serverless",
                database_name = "db",
                master_username = "********",
                master_password = "********",
                backup_retention_period = 5,
                preferred_backup_window = "07:00-09:00",
                skip_final_snapshot = true,
                storage_encrypted = true,
                scaling_configuration = {
                    max_capacity = 4,
                    min_capacity = 1,
                    seconds_until_auto_pause = 300
                },
                vpc_security_group_ids = ["${aws_security_group.my_sg_defined_elsewhere.id}"]

Security group rules:

                type = "ingress",
                from_port = 3306,
                to_port = 3306,
                protocol = "tcp",
                cidr_blocks = ["0.0.0.0/0"],
                ipv6_cidr_blocks = ["::/0"],
                security_group_id = "${aws_security_group.my_sg_defined_elsewhere.id}"

                type = "egress",
                from_port = 0,
                to_port = 0,
                protocol = "-1",
                cidr_blocks = ["0.0.0.0/0"],
                ipv6_cidr_blocks = ["::/0"],
                security_group_id = "${aws_security_group.my_sg_defined_elsewhere.id}"

Since I'm just using the default VPC, which I believe has public subnets, I'm assuming that if my security group rules are sufficient for public MySQL access then this should just work. Unfortunately using the cluster's generated endpoint and the correct credentials, I just get a timeout when trying to connect.

Dan
  • 6,022
  • 3
  • 20
  • 28
  • 2
    You have to enable the "publicly accessible" flag on an RDS/Aurora cluster in order for Amazon to assign a public IP to the cluster's servers. If you don't have that enabled then you will only be able to access it from within the VPC. I know Aurora Serverless v1 does not support the publicly accessible setting. I'm not sure about v2 and I can't seem to find that info in the documentation. Do you have that setting enabled? When you resolve the DNS name from outside the VPC does it give a public or an internal IP address? – Mark B Nov 19 '22 at 13:43
  • @MarkB "I know Aurora Serverless v1 does not support" -- ugh, yes I'm just seeing that now. And can confirm the DNS name shows an internal address. The only reason I'm using AWS at all for this use case is to take advantage of v1 being able to wind down to zero for cost savings. Routing through an EC2 doesn't really help me for that same reason, lambda seems out of the question for latency too. Not sure if there are any other clever options for lean access to a private endpoint if that's all that v1 will give me. – Dan Nov 19 '22 at 17:41
  • What type of application are you using this for? The application itself doesn't run inside AWS? – Mark B Nov 19 '22 at 18:59
  • Nope, unfortunately I'm not able to move the app itself into AWS due to some GCP dependencies. Stuck as usual in a classic cloud lock-in struggle. – Dan Nov 27 '22 at 03:34
  • In light of your comments, consider re-titling the question to "external control of serverless AWS infrastructure" or similar, to get at the underlying issues, and integrating your comments into the question. – enharmonic Nov 30 '22 at 00:05

2 Answers2

1

Just to close this off, thanks to some further hunting and Mark B's comments above, can confirm that I missed the fact that Aurora Serverless v1 does not support public endpoints, so no amount of playing around with my security groups would have helped. This is apparently possible with v2 but since it isn't true serverless (doesn't wind down to zero) it's not an option for me anyway. Hope this saves someone some headaches!

Dan
  • 6,022
  • 3
  • 20
  • 28
0

You can route the request through an ec2 instance tunnel, which uses API Gateway to control lambda functions to start and stop the instance as needed, so your AWS resources can still scale down to zero.

As a side note, lambda latency is trivial compared to serverless v1 cold-start times.

enharmonic
  • 1,800
  • 15
  • 30