The Ansible validated content cloud.aws_troubleshooting introduces a role named troubleshoot_rds_connectivity. This role helps you troubleshoot AWS Relational Database Service (RDS) connectivity issues from an EC2 instance.
The role diagnoses connectivity issues between an EC2 instance and an Amazon Relational Database Service instance by ensuring that the RDS instance is available and checking the associated security group rules, network access control lists, and route tables for potential connectivity issues.
To do this, the role will need the EC2 instance identifier to test connectivity from the RDS instance identifier to connect to.
Let's see how this can be used with the following example.
Configuration
We have an RDS instance and an EC2 instance running in the same VPC (virtual private cloud) with the CIDR block 10.1.0.0/16.
The RDS instance is running on two subnets with the following CIDR blocks 10.1.1.0/24 and 10.1.2.0/24.
The EC2 instance is running in another subnet in the VPC with the CIDR block 10.1.10.0/24. The EC2 instance has been assigned the following private IP address 10.1.10.41.
In the initial configuration, a security group is attached to the VPC with the following inbound rules:
- allow TCP traffic on port 5432 from CIDR block 10.1.1.0/24
- allow TCP traffic on port 5432 from CIDR block 10.1.2.0/24
The security group rules do not allow traffic coming from the EC2 instance subnet CIDR block, we will diagnose that using the cloud.aws_troubleshooting.troubleshooting_rds_connectivity role.
Troubleshooting RDS connectivity from an EC2 instance
Here is an Ansible Playbook example using the cloud.aws_troubleshooting.troubleshooting_rds_connectivity collection with RDS and EC2 instances identifiers.
- hosts: localhost
gather_facts: false
roles:
- role: cloud.aws_troubleshooting.troubleshoot_rds_connectivity
Troubleshoot_rds_connectivity_db_instance_id: rds-id-0123
troubleshoot_rds_connectivity_ec2_instance_id: i-0123456789abcdef
Run the playbook using the ansible-navigator command.
Here’s an example of the command: ansible-navigator run -m stdout playbook.yml
Here is the provided result:
(...)
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate Security Group Rules] ***************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Security Group validation failed: Security group sg-0123456789abcdefg is not allowing tcp traffic to/from IP 10.1.10.41 for port(s) 5432."}
PLAY RECAP ***************************************************************************************************************************************
localhost : ok=45 changed=0 unreachable=0 failed=1 skipped=33 rescued=0 ignored=0
The role shows that there is an issue with the security group rules from the VPC where the RDS instance is running.
Fix the security group rules
Update the security group rules to allow TCP traffic coming from the EC2 instance VPC.
Execute the following playbook:
- hosts: localhost
gather_facts: false
tasks:
- name: update security group rules
amazon.aws.ec2_security_group:
name: troubleshooter-vpc-secgroup
purge_rules: true
vpc_id: vpc-0123456789abcdefg
description: update security to allow traffic from EC2 subnet
rules:
- cidr_ip: 10.1.10.0/24
proto: tcp
from_port: 5432
to_port: 5432
state: present
Validate RDS connectivity from EC2 instance
With the update of the security group rule, the EC2 instance can now contact the RDS instance. Let’s validate that by running the playbook we ran earlier with the cloud.aws_troubleshooting.troubleshooting_rds_connectivity role.
Below is the updated result:
(...)
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate Security Group Rules] ***************************************************
ok: [localhost] => {"changed": false, "msg": "Security Group validation successful"}
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate network ACLS] ***********************************************************
ok: [localhost] => {"changed": false, "msg": "Network ACL validation successful"}
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate route tables] ***********************************************************
ok: [localhost] => {"changed": false, "msg": "Resources located in the same VPC"}
PLAY RECAP ***************************************************************************************************************************************
localhost : ok=48 changed=0 unreachable=0 failed=0 skipped=33 rescued=0 ignored=0
In conclusion, using the cloud.aws_troubleshooting collection with a few parameters, you can diagnose multiple issues on your AWS cloud infrastructure.
Where to go next
- Come visit us at AnsibleFest, now a part of Red Hat Summit 2023.
- Missed out on AnsibleFest 2022? Check out the Best of AnsibleFest 2022.
- Self-paced lab exercises - We have interactive, in-browser exercises to help you get started with Ansible Automation Platform.
- Try Ansible Automation Platform free for 60 days.
About the author
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit