在 AWS Cloudformation 中创建可公开访问的 RDS 实例

Question

我完全放弃了这个。我一直在尝试使用 CloudFormation 创建一个可公开访问的 RDS 实例。我希望能够通过 mysql 客户端连接到我的实例。当我部署此堆栈时，它说该实例可在 RDS 控制台中公开访问，但我无法通过 RDS 控制台中提供的端点连接。我猜我在 VPC 部分搞砸了/错过了一些东西。他是我的 stack.yaml 文件：

Resources:
  Vpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: 'VPC created by cf'
  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
      - Key: Name
        Value: Created By CF
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref Vpc
      InternetGatewayId: !Ref InternetGateway
  DataSourceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Open database for access
      VpcId: !Ref Vpc
  DSSGIngressRule:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      FromPort: "3306"
      ToPort: "3306"
      GroupId: !Ref DataSourceSecurityGroup
      IpProtocol: tcp
      SourceSecurityGroupId: !Ref DataSourceSecurityGroup
  PublicSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-1a
      CidrBlock: 10.0.0.0/20
      MapPublicIpOnLaunch: true
      VpcId: !Ref Vpc
  PublicSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-1b
      CidrBlock: 10.0.16.0/20
      MapPublicIpOnLaunch: true
      VpcId: !Ref Vpc
  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref Vpc
      Tags:
      - Key: Name
        Value: 'RouteTable created by CF'
  RouteTable1Association:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet1
      RouteTableId: !Ref RouteTable
  RouteTable2Association:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet2
      RouteTableId: !Ref RouteTable
  InternetRouteRule:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  DataSourceSubtNetGroup:
    Type: AWS::RDS::DBSubnetGroup
    Properties:
      DBSubnetGroupDescription: Created by CF
      SubnetIds:
        - !Ref PublicSubnet1
        - !Ref PublicSubnet2
  DataSource:
    Type: AWS::RDS::DBInstance
    Properties:
      AllocatedStorage: '5'
      DBInstanceClass: db.m1.small
      DBName: MyDb
      DBSubnetGroupName: !Ref DataSourceSubtNetGroup
      Engine: MySQL
      MasterUsername: AdminUser
      MasterUserPassword: AdminPassword
      PubliclyAccessible: true
      VPCSecurityGroups:
        - !Ref DataSourceSecurityGroup
    DeletionPolicy: Snapshot

谢谢

Answer 1

您的 DataSourceSecurityGroup 安全组当前配置为：

• 允许来自安全组 DataSourceSecurityGroup 的端口 3306 上的入站连接

也就是说，它将允许来自任何本身是 DataSourceSecurityGroup 安全组成员的 Amazon EC2 实例的入站连接。

如果您想允许从Internet 上的任何位置进行访问，请更改您的模板以允许来自0.0.0.0/0 的入站访问：

  DSSGIngressRule:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      FromPort: "3306"
      ToPort: "3306"
      GroupId: !Ref DataSourceSecurityGroup
      IpProtocol: tcp
      CidrIp: 0.0.0.0/0

我进行了此更改，测试了您的模板并且效果很好。

供将来参考：您可以通过创建堆栈然后在管理控制台中检查安全组来调试此类事物。