Connect from AWS EKS cluster to a database on AWS
I am writing this since I found it difficult to find the correct IP to allow to enable incoming traffic from a Kubernetes cluster behind a load balancer to a MySQL database, both on AWS.
I was using Superset running on a Kubernetes cluster in AWS and needed to connect to an RDS (MySQL) database on AWS from Superset. This, of course, required that the MySQL database was configured to allow incoming traffic from the cluster that Superset was running on, meaning the MySQL database had to allow for incoming traffic from any of the nodes on the cluster.
To avoid allowing all incoming traffic to the database, I wanted to set up a security rule to allow only traffic from the Kubernetes cluster. First, I needed to figure out where to find the correct IP for which traffic should be allowed through. Next, the rules for traffic to the database needed to be configured to reflect this.
Find public IPs from nodes in k8s cluster
To summarize, the steps to identify public IPs for an EKS cluster on AWS are as follows:
- Go to the EKS cluster in the AWS console.
- Under the Compute tab, find the column called “Node name”.
- For each row in the “Node name”, identify the numbers in the first part of the name that look like an IP address and write these down in the form of an IP address, writing a “.” where there is a “-” in the node name.
- Go to the list of Network Interfaces (an EC2 service).
- For each of the IP addresses written down in step 3, filter on this in the Network Interfaces overview. In the column called “Public IPv4 address”, you will find the public IP address for which inbound traffic to the database needs to be allowed.
These steps are described in detail in the following.
To find the public IPs of the nodes in an Elastic Kubernetes Service cluster (EKS) in AWS, first go to the console in AWS and make sure you are in the region hosting your EKS cluster. In the below screenshot, for instance, I have purposefully selected a region in which I do not currently have an EKS cluster, which is why no clusters are shown in the overview.
Once you have made sure you are looking at the region where your EKS cluster is hosted, go to Services and search for EKS, as shown below:
You will then be taken to an overview of your EKS clusters in the selected region. Click the EKS cluster in the “Cluster name” column, that you are interested in.
After clicking the cluster name, you will see a page with some basic “Cluster info”, such as the deployed Kubernetes version and the “Support type” subscribed to. Just beneath the “Basic info” section, there are various tabs containing more detailed information, as shown below.
Click the “Compute” tab to view the nodes in the cluster. These node names have names like “ip-25–7–355–444.us-central-1.compute.internal”. Note the numbers after ip- in the beginning of the names and write them down as a an IP address, i.e. in this case 25.7.355.444. This IP address can be used to find the Elastic Network Interface (ENI), from which the public IP address can be found. To find the list of ENIs, go to the Elastic Compute Cloud (EC2) landing page by searching for EC2 in Services and click the search result, as shown below:
In this landing page, click “Network Interfaces” on the left sidebar menu under the “Network & Security” category.
You will then see a page listing Network Interfaces.
In the search box on the page with Network Interfaces, type in the IP address that you noted down above. This will result in a single search result, and by scrolling right, you will find the Public IP associated with this. Incoming traffic from this IP address needs to be allowed by the database.
Find the Public IP addresses in this way for all the nodes listed in the Compute tab under Cluster information.
I found this approach as a comment in a stackoverflow post https://stackoverflow.com/questions/74292983/how-to-know-which-eni-is-attached-to-a-pod-in-an-aws-eks-cluster.
Set up security rules for the database
Now that we have found the public IP addresses that the database needs to accept incoming traffic from, let’s see how we configure this. First, go to the Relational Database Service by clicking “Services” in the upper left corner in the AWS console, and type in RDS in the search field as shown below:
After having clicked RDS, you will be taken to a Databases landing page. In the menu on the left, click Databases in the Dashboard section, as highlighted below.
On the database overview, click the database for which you want to configure security rules.
In the detailed overview for the relevant database, click the security group link listed in the Security section in the “Connectivity & security” tab.
After clicking the security group link, you will be taken to a security group overview filtered by this security group, so that only the relevant security group is shown. Click this security group to go to its detailed view, where it can be configured.
After clicking the relevant security group in the security group overview, you will be taken to a detailed page for the security group in which you can also configure it.
In the detailed view for the security group, click the “Edit inbound rules” button in the “Inbound rules” tab.
This will transfer you to the interface for editing inbound traffic rules, shown below.
Finally, a rule for each of the nodes in the cluster needs to be set up. For each node, click the “Add rule” button and type in the public IP address identified. Finally, click “Save rules”. Your database should now be able to receive incoming traffic from your EKS cluster.
Conclusion
We have gone through how to identify the public IPs of nodes on an EKS cluster on AWS, and how to specify that an RDS database on AWS should allow incoming traffic from these public IPs.
I would love to hear from you if you know of an easier way to identify the public IP addresses of nodes in an EKS cluster.
