I was configuring a MySQL RDS instance inside a VPC a few months back with a bit of a unique setup. This RDS needed to be publicly accessible from some systems outside the corporate network and also accessible via systems in the same VPC.
I configured the RDS instance in a new public subnet and gave it an elastic IP by choosing the option for Publicly Accessible during RDS creation. I changed the security groups to allow it to accept MySQL traffic from the public IP of the system outside the corporate network. I also changed the security group to allow MySQL traffic from members of another security group containing the servers I wanted to interface with the RDS instance.
To my surprise I had no connectivity between the internal VPC systems and the RDS instance. Telnet tests to port 3306 confirmed the traffic was being blocked. After some name resolution troubleshooting, I discovered if I allowed MySQL traffic through the NAT security group and allowed MySQL traffic from the public IP of my AWS Nat instance into the RDS instance I had connectivity.
The systems in the VPC were resolving the public IPs of the RDS instance and not the internal IPs provided via the VPC. After some digging into the documentation I discovered this was a result of us bringing our own DNS into the VPC with Active Directory.
The solution was to create a conditional forwarder zone on the domain controllers located in the VPC to forward name resolution requests for amazonaws.com to the DNS server provided by the VPC. The DNS server provided with the VPC is located on the bottom most subnet of the VPC. So if your VPC CIDR block was 10.10.0.0/16 and your subnets were 10.10.0.0/24 your Amazon provided DNS server would be at 10.10.0.2.
This DNS server is used by your default DHCP option set and it cannot be accessed via systems outside your VPC. So if you have the same Active Directory domain on premises and in AWS, you will not want this conditional forwarder zone on your on premises domain controllers.
With the conditional forwarder in place, requests from VPC domain joined systems now resolved internal IPs of the RDS instance and traffic no longer needed to route out to the internet via the NAT instance.
0 Comments.