Following rposcibed pattern here: Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access
Summary Description:I have configured a VPC with 1 public Subnet and 2 private SubnetsEach subnet is in a different AZThere are two Route Tables: 1 for public Subnet and 1 for 2 private subnetsThere are two NACLs: 1 for public Subnet and 1 for 2 private subnetsThere is an internet gateway (routed to the public subnet)There is a Security Group for the EC2 instancesThere is a Security Group for the RDS instancesI have an EC2 instance Apache/Tomcat with web application in the Public SubnetI have an RDS PostgreSQL database deployed in the 2 private subnets (multi-AZ=YES)
This is what I can do:
I can SSH to the EC2 Instance
I can access the Tomcat Manager app on port 80
I can deploy a war file (my application)
If I make the private Subnets public and set the Security Groups and NACLs accordingly, I can access the postgresql database with PGAdmin and I can run the application from my desktop using the RDS instance endpoint as the host.So the database is in good order and can be reached.
Here is what is failing:
When I deploy my application to Tomcat and attempt to access the database it fails: org.postgresql.util.PSQLException: Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connecions.
When I ping the RDS endpoint (DNS name) it resolves correctly to the private IP address but cannot reach the node (ALL Traffic is enabled in the NACLs and Security Groups).
So I can get to both EC2 and RDS instances from my desktop from the public internet, but I cannot enable them to connect to each other from within the VPC.
I set all of the NACLs and Security groups to maximum permissiveness just to force a successful connection. But even that is not working.
I will include the pertinent details a little later. If anyone has any suggestions on what to check for would be greatly appreciated!!!
Thanks
I finally figured it out. I'll finish describing the problem and then I will provide the answer. The problem was rooted in the NALCS and Security Groups so I'll share just those details. The routes and internet gateway were straight forward.
VPC NACL
In Bound80 0.0.0.0/0 AllowOut BoundAll 0.0.0.0/0 AllowPublic Subnet NACL
InBound80 0.0.0.0/0 AllowOut BoundAll 0.0.0.0/0 Allow5432 172.30.4.0/24 Allow (PostgreSQL)Private Subnet NACL
InBound5432 172.30.1.0/24 AllowOut Bound5432 172.30.1.0/24 Allow VPC Security Group
InBound80 VPC-Security-Group-ID AllowOut BoundAll 0.0.0.0/0 AllowPublic Subnet Security Group
InBound80 0.0.0.0/0 AllowOut Bound5432 172.30.4.0/0 AllowPrivate Subnet Security Group
InBound5432 172.30.1.0/24 AllowOut Bound5432 172.30.1.0/24 Allow