Open amhashicorp opened 1 year ago
goosefraba
commented
1 year ago Since some hours, I have the same issue. Everything worked before and when I select a database now after using rdsconn proxy command and try to connect to localhost:5432 I get the same error message.
aidansteele
commented
1 year ago Yep, I'm seeing this too. It seems that the service is now restricted to standard SSH and RDP ports. I assume that RDS would still work if configured to listen on port 3389 (instead of 5432) but I don't think that's a reasonable thing for me to suggest people do. I'll keep this issue open if people want to subscribe to hear about updates in the future (e.g. if AWS removes the restriction)
avoidik
commented
1 year ago have you added any security group(s) to EICE when you've been creating it?
goosefraba
commented
1 year ago Yes and I also tried to allow all traffic but still not working.
avoidik
commented
1 year ago what a shame, this is an AWS API limitation now, not a network
tomkins
commented
1 year ago Amusingly - this project was included in AWS Week in Review, so at least some people at AWS like the idea of it - even if others have locked it down.
yevman
commented
1 year ago Instead of changing the DB sport is there any simple and cheap AWS service that can be used to switch port traffic before hitting the DB from the EIC?
aidansteele
commented
1 year ago @yevman I'm not sure it meets the "cheap" criteria, but you could use a Network Load Balancer in TCP mode. It could listen on port 3389 and forward to a target listening on a different port (e.g. your RDS instance listening on port 5432)
MStaniaszek
commented
1 year ago @yevman I'm not sure it meets the "cheap" criteria, but you could use a Network Load Balancer in TCP mode. It could listen on port 3389 and forward to a target listening on a different port (e.g. your RDS instance listening on port 5432)
Is it possible to achieve? I tried this approach but it gives me an error Encountered error with websocket: (9, 'Bad file descriptor')
mathewmoon
commented
1 year ago @MStaniaszek When I got that error it was due to a SG rule. The problem with a NLB is that the target IP addresses for the RDS endpoints are subject to change. I've created a solution with a Lambda that runs every minute to check that the target group IP matches the latest result of dig but that's a pretty hacky solution and if you're using IaC you have to either let the Lambda handle creating the target group or, if using Terraform, add a lifecycle.ignore_changes to the resource so your next run doesn't try to "fix" it.
I was however able to just create a cluster running on port 3389. I wouldn't do that in production though. If they updated the ports without warning who's to say they won't do something to limit the protocol that is allowed to pass through it. It peeves me off that such a breaking change, in however short a time from initial release, wouldn't be predicated on a proper deprecation notice.
In the end I would spend the extra 5 minutes to create a nano bastion host for SSM before trying to hack around the breaking change. It's a pity though. I was excited about the service.
nitrocode
commented
1 year ago I guess it's back to a bastion host.
Maybe BohdanPetryshyn/basti (temp bastion host + ssm) can be used while we wait for aws to open up port 5432 again via ec2 instance connect?
Hi,
I have been using this code to successfully connect to an RDS instance in a private subnet. I was working on adding some extra functionality but then started to hit some errors that did not correlate with the changes I had made.
I decided to go back to trying to use the code in this repo which worked originally and found I could have the connection waiting on a port but then when trying to connect I received the following error:
I decided to go even more basic and ran this command -
I found I got this output error:
This error seems to suggest that the RemotePort options has now been restricted to 3389 (RDP) and 22 (SSH)?
Has anyone else experienced this?