The Ansible validated content cloud.aws_troubleshooting introduces a role named troubleshoot_rds_connectivity. This role helps you troubleshoot AWS Relational Database Service (RDS) connectivity issues from an EC2 instance.
The role diagnoses connectivity issues between an EC2 instance and an Amazon Relational Database Service instance by ensuring that the RDS instance is available and checking the associated security group rules, network access control lists, and route tables for potential connectivity issues.
To do this, the role will need the EC2 instance identifier to test connectivity from the RDS instance identifier to connect to.
Let's see how this can be used with the following example.
Configuration
We have an RDS instance and an EC2 instance running in the same VPC (virtual private cloud) with the CIDR block 10.1.0.0/16.
The RDS instance is running on two subnets with the following CIDR blocks 10.1.1.0/24 and 10.1.2.0/24.
The EC2 instance is running in another subnet in the VPC with the CIDR block 10.1.10.0/24. The EC2 instance has been assigned the following private IP address 10.1.10.41.
In the initial configuration, a security group is attached to the VPC with the following inbound rules:
- allow TCP traffic on port 5432 from CIDR block 10.1.1.0/24
- allow TCP traffic on port 5432 from CIDR block 10.1.2.0/24
The security group rules do not allow traffic coming from the EC2 instance subnet CIDR block, we will diagnose that using the cloud.aws_troubleshooting.troubleshooting_rds_connectivity role.
Troubleshooting RDS connectivity from an EC2 instance
Here is an Ansible Playbook example using the cloud.aws_troubleshooting.troubleshooting_rds_connectivity collection with RDS and EC2 instances identifiers.
- hosts: localhost
gather_facts: false
roles:
- role: cloud.aws_troubleshooting.troubleshoot_rds_connectivity
Troubleshoot_rds_connectivity_db_instance_id: rds-id-0123
troubleshoot_rds_connectivity_ec2_instance_id: i-0123456789abcdef
Run the playbook using the ansible-navigator command.
Here’s an example of the command: ansible-navigator run -m stdout playbook.yml
Here is the provided result:
(...)
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate Security Group Rules] ***************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Security Group validation failed: Security group sg-0123456789abcdefg is not allowing tcp traffic to/from IP 10.1.10.41 for port(s) 5432."}
PLAY RECAP ***************************************************************************************************************************************
localhost : ok=45 changed=0 unreachable=0 failed=1 skipped=33 rescued=0 ignored=0
The role shows that there is an issue with the security group rules from the VPC where the RDS instance is running.
Fix the security group rules
Update the security group rules to allow TCP traffic coming from the EC2 instance VPC.
Execute the following playbook:
- hosts: localhost
gather_facts: false
tasks:
- name: update security group rules
amazon.aws.ec2_security_group:
name: troubleshooter-vpc-secgroup
purge_rules: true
vpc_id: vpc-0123456789abcdefg
description: update security to allow traffic from EC2 subnet
rules:
- cidr_ip: 10.1.10.0/24
proto: tcp
from_port: 5432
to_port: 5432
state: present
Validate RDS connectivity from EC2 instance
With the update of the security group rule, the EC2 instance can now contact the RDS instance. Let’s validate that by running the playbook we ran earlier with the cloud.aws_troubleshooting.troubleshooting_rds_connectivity role.
Below is the updated result:
(...)
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate Security Group Rules] ***************************************************
ok: [localhost] => {"changed": false, "msg": "Security Group validation successful"}
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate network ACLS] ***********************************************************
ok: [localhost] => {"changed": false, "msg": "Network ACL validation successful"}
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate route tables] ***********************************************************
ok: [localhost] => {"changed": false, "msg": "Resources located in the same VPC"}
PLAY RECAP ***************************************************************************************************************************************
localhost : ok=48 changed=0 unreachable=0 failed=0 skipped=33 rescued=0 ignored=0
In conclusion, using the cloud.aws_troubleshooting collection with a few parameters, you can diagnose multiple issues on your AWS cloud infrastructure.
Where to go next
- Come visit us at AnsibleFest, now a part of Red Hat Summit 2023.
- Missed out on AnsibleFest 2022? Check out the Best of AnsibleFest 2022.
- Self-paced lab exercises - We have interactive, in-browser exercises to help you get started with Ansible Automation Platform.
- Try Ansible Automation Platform free for 60 days.
.png)
