Troubleshoot RDS connectivity issues with Ansible validated content

March 1, 2023 by Aubin Bikouo

rds validated content blog

The Ansible validated content cloud.aws_troubleshooting introduces a role named troubleshoot_rds_connectivity. This role helps you troubleshoot AWS Relational Database Service (RDS) connectivity issues from an EC2 instance.

The role diagnoses connectivity issues between an EC2 instance and an Amazon Relational Database Service instance by ensuring that the RDS instance is available and checking the associated security group rules, network access control lists, and route tables for potential connectivity issues.

To do this, the role will need the EC2 instance identifier to test connectivity from the RDS instance identifier to connect to.

Let's see how this can be used with the following example.

 

Configuration

We have an RDS instance and an EC2 instance running in the same VPC (virtual private cloud) with the CIDR block 10.1.0.0/16.

The RDS instance is running on two subnets with the following CIDR blocks 10.1.1.0/24 and 10.1.2.0/24.

The EC2 instance is running in another subnet in the VPC with the CIDR block 10.1.10.0/24. The EC2 instance has been assigned the following private IP address 10.1.10.41.

In the initial configuration, a security group is attached to the VPC with the following inbound rules:

  • allow TCP traffic on port 5432 from CIDR block 10.1.1.0/24
  • allow TCP traffic on port 5432 from CIDR block 10.1.2.0/24

The security group rules do not allow traffic coming from the EC2 instance subnet CIDR block, we will diagnose that using the cloud.aws_troubleshooting.troubleshooting_rds_connectivity role.

 

Troubleshooting RDS connectivity from an EC2 instance

Here is an Ansible Playbook example using the cloud.aws_troubleshooting.troubleshooting_rds_connectivity collection with RDS and EC2 instances identifiers.

- hosts: localhost
  gather_facts: false


  roles:
   - role: cloud.aws_troubleshooting.troubleshoot_rds_connectivity
     Troubleshoot_rds_connectivity_db_instance_id: rds-id-0123
     troubleshoot_rds_connectivity_ec2_instance_id: i-0123456789abcdef

Run the playbook using the ansible-navigator command.

Here’s an example of the command:  ansible-navigator run -m stdout playbook.yml

Here is the provided result:

(...)
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate Security Group Rules] ***************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Security Group validation failed: Security group sg-0123456789abcdefg is not allowing tcp traffic to/from IP 10.1.10.41 for port(s) 5432."}


PLAY RECAP ***************************************************************************************************************************************
localhost                  : ok=45   changed=0    unreachable=0    failed=1    skipped=33   rescued=0    ignored=0

The role shows that there is an issue with the security group rules from the VPC where the RDS instance is running.

 

Fix the security group rules

Update the security group rules to allow TCP traffic coming from the EC2 instance VPC.

Execute the following playbook:

- hosts: localhost
  gather_facts: false


  tasks:
   - name: update security group rules
     amazon.aws.ec2_security_group:
       name: troubleshooter-vpc-secgroup
       purge_rules: true
       vpc_id: vpc-0123456789abcdefg
       description: update security to allow traffic from EC2 subnet
       rules:
         - cidr_ip: 10.1.10.0/24
           proto: tcp
           from_port: 5432
           to_port: 5432
       state: present

 

Validate RDS connectivity from EC2 instance

With the update of the security group rule, the EC2 instance can now contact the RDS instance.  Let’s validate that by running the playbook we ran earlier with the cloud.aws_troubleshooting.troubleshooting_rds_connectivity role.

Below is the updated result:

(...)
TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate Security Group Rules] ***************************************************
ok: [localhost] => {"changed": false, "msg": "Security Group validation successful"}


TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate network ACLS] ***********************************************************
ok: [localhost] => {"changed": false, "msg": "Network ACL validation successful"}


TASK [cloud.aws_troubleshooting.troubleshoot_rds_connectivity : Evaluate route tables] ***********************************************************
ok: [localhost] => {"changed": false, "msg": "Resources located in the same VPC"}


PLAY RECAP ***************************************************************************************************************************************
localhost                  : ok=48   changed=0    unreachable=0    failed=0    skipped=33   rescued=0    ignored=0

In conclusion, using the cloud.aws_troubleshooting collection with a few parameters, you can diagnose multiple issues on your AWS cloud infrastructure.

 

Where to go next

Share:

Topics:
Validated Content


 

Aubin Bikouo

Aubin Bikouo is a Senior Software Engineer on the Ansible Cloud team. When he’s not busy writing code, he’s probably playing bass guitar or doing some sport.


rss-icon  RSS Feed