Giving access to an existing RDS Postgres server to my copilot apps #3124

terah · 2021-12-14T23:33:18Z

terah
Dec 14, 2021

Hi,

I have an existing Postgres RDS server in the same account as my copilot projects.

I've created a bunch of copilot projects which are using their own VPCs/Sec groups etc.

I'm looking at giving my copilot applications access to database on the RDS database server.

What is the secure way of doing this?

I tried to give add an inbound rule to the security group the belongs to the RDS server which gives access to port 5432 to the security group that was created with my copilot app and got an error: "You have specified two resources that belong to different networks."

The guides hint that I have to deploy my copilot apps into the same VPC that the RDS server lives in. Is this the recommended approach?

Terry

Answered by efekarakus

Dec 15, 2021

Hi Terry!

Apologies for the late response 🙇 , I was ramping up on the guidance provided here: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html

The guides hint that I have to deploy my copilot apps into the same VPC that the RDS server lives in. Is this the recommended approach.

I wouldn't recommend moving all the applications to the same VPC as the RDS cluster mostly to reduce blast radius (the possibility that a badly behaving application affects other applications).

If it's a possibility, the easiest and more resilient route would be each application getting its own RDS cluster. The tradeoff is that i…

View full answer

efekarakus · 2021-12-15T18:00:09Z

efekarakus
Dec 15, 2021
Maintainer

Hi Terry!

Apologies for the late response 🙇 , I was ramping up on the guidance provided here: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html

The guides hint that I have to deploy my copilot apps into the same VPC that the RDS server lives in. Is this the recommended approach.

I wouldn't recommend moving all the applications to the same VPC as the RDS cluster mostly to reduce blast radius (the possibility that a badly behaving application affects other applications).

If it's a possibility, the easiest and more resilient route would be each application getting its own RDS cluster. The tradeoff is that it's a lot more expensive.
If we don't want to create separate databases, then from my understanding there are two options to consider: transit gateways vs. VPC peering.
If I understand your setup properly, you only need the application VPCs to connect to the RDS VPC, therefore in terms of cost and setup VPC peering seems to be an OK choice to me (example CFN). The downside seems to be a limit of 125 connections at most to the RDS VPC. If we expect more applications than that, I think TGW seems to be the recommendation.

Hope this helps! Apologies, I'm not an expert in this area.

1 reply

terah Dec 16, 2021
Author

Thanks for your detailed response. Very helpful. I've started digging into what goes into my CF addon now.

Thanks again.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Giving access to an existing RDS Postgres server to my copilot apps #3124

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Giving access to an existing RDS Postgres server to my copilot apps #3124

terah Dec 14, 2021

Replies: 1 comment · 1 reply

efekarakus Dec 15, 2021 Maintainer

terah Dec 16, 2021 Author

terah
Dec 14, 2021

Replies: 1 comment 1 reply

efekarakus
Dec 15, 2021
Maintainer

terah Dec 16, 2021
Author