Create a resource in a VPC (AWS / RDS)

Serverless Framework
1

Am not sure why my internet searches are fruitless, but I would like to be able to create a resource (RDS) in a VPC. All I see is the ability to specify security groups, which gives me error messages like this…

An error occurred: RDSInstance - VPC Security Groups cannot be associated with non-VPC DB Instances.

Why cannot I not just specify something like this…

vpc: vpc-9999eeee

…in the relevant resource section (yes have checked this; https://serverless.com/framework/docs/providers/aws/guide/resources/).

1 Like
2

You need to create a DB subnet group with the subnets want to use then use that when creating the RDS instance. The RDS CloudFormation docs are the best place to start looking.

3

Thanks for the response. What would be insanely useful for people who, like myself, are searching for how to do this sort of thing is the posting of example YAML. In the meanwhile I’ll check out what you’ve said above.

4

Well, I tried setting the new RDS DB instance to having the same security groups as my VPC (using VPCSecurityGroups: [sg-abc123, sg-xyz789, …etc…]), but got this…

An error occurred: RDSInstance - VPC Security Groups cannot be associated with non-VPC DB Instances.

…so it seems it still thinks my DB is not associated with a VPC

5

Should be something like this

    Vpc:
      Type: AWS::EC2::VPC
      Properties: 
        CidrBlock: 10.0.0.0/16
        InstanceTenancy: default

    PublicSubnet:
      Type: AWS::EC2::Subnet
      Properties:
        CidrBlock: 10.0.0.0/18
        VpcId: 
          Ref: Vpc

    PrivateSubnet1:
      Type: AWS::EC2::Subnet
      Properties:
        AvailabilityZone: ap-southeast-1a
        CidrBlock: 10.0.64.0/18
        VpcId: 
          Ref: Vpc

    PrivateSubnet2:
      Type: AWS::EC2::Subnet
      Properties:
        AvailabilityZone: ap-southeast-1b
        CidrBlock: 10.0.128.0/18
        VpcId: 
          Ref: Vpc

    Database:
      Type: AWS::RDS::DBInstance
      Properties:
        DBName: test
        AllocatedStorage: '20'
        DBInstanceClass: db.t2.micro
        Engine: mysql
        EngineVersion: "5.7.21"
        MasterUsername: test
        MasterUserPassword: password
        DBSubnetGroupName:
          Ref: DBSubnetGroup
        VPCSecurityGroups:
          - Ref: DatabaseVpcSecurityGroup

    DBSubnetGroup:
      Type: "AWS::RDS::DBSubnetGroup"
      Properties: 
        DBSubnetGroupName: PrivateDbSubnet
        DBSubnetGroupDescription: PrivateDbSubnet
        SubnetIds:
          - Ref: PrivateSubnet1
          - Ref: PrivateSubnet2

    DatabaseVpcSecurityGroup:
      Type: "AWS::EC2::SecurityGroup"
      Properties:
        GroupName: DBSecurityGroup
        GroupDescription: Allow local access
        SecurityGroupIngress:
          - CidrIp: 10.0.0.0/16
            IpProtocol: tcp
            FromPort: 3306
            ToPort: 3306
        VpcId: 
            Ref: Vpc
1 Like
6

Thank you very much, Dawid!

I have been struggling with this for a while - trying to make the code portable among all AWS Regions, especially when there is no default VPC or default subnet. Your solution gets the RDS created.

We are mostly focused on IoT Core and Lambda - and not very familiar with VPCs, Subnets, etc.

Can you suggest an enhancement that would allow an external tool, like MySQL WorkBench, to communicate with the RDS using Port 3306 over TCP?

Thank you in advance for your help.

Best,
Willliam