I have an EC2 instance in AWS account A. Its Private IPv4 addresses is 10.111.12.23.
I allowed it in a RDS security group rules in account B, to make Type CIDR/IP - Inbound
's Rule 10.111.12.23/32
.
Also use transit gateway between these 2 accounts' vpc network, route them to let ec2 from account A to access account B.
When I login to ec2 in account A, can't ping the RDS cluster's endpoint. Check ip on the ec2 host, got
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 00:01:b2:31:d0:d2 brd ff:ff:ff:ff:ff:ff
inet 10.111.12.23/27 brd 10.111.12.43 scope global dynamic eth0
valid_lft 2390sec preferred_lft 2390sec
inet6 ze20::202:b3fa:fe31:a0c2/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ed:6d:80:1a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 ze20::20:b1fa:fl39:712x/64 scope link
valid_lft forever preferred_lft forever
...
The IP 10.111.12.23/27
's subnet is 27 but not 32. So is it the reason can't access the RDS, even it allowed IP with /32 but doesn't work.
And, a little much complex, I also want to access RDS in account B from account A' ec2 instance with docker on it. Login docker container, check its IP:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
117: eth0@if118: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 01:12:lc:22:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.5/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
It's using the different network IP. So even can connect RDS from ec2 host, can it also access RDS inside docker on it?