Scenario / Questions

I have a postgres db setup on RDS. It is running great. However, I want to link this to a set of autoscaled EC2 instances sitting behind an ELB that all reside in a single EC2 security group.

I’ve been told that it is possible to add a rule to the security group for the RDS instance that uses my EC2 security group as the source. When I go to the console and edit the RDS security group I only see the following options under the source column: Anywhere, Custom IP, and My IP.

In the information pop-up at the top of the column it says: To specify a security group in another AWS account (EC2-Classic only), prefix it with the account ID and a forward slash, for example: 111122223333/OtherSecurityGroup. (looks like it may only be applicable to EC2-Classic)

It does not let me type in the source dropdown box.

Under the RDS section I notices they have option groups. However the default option group associated with my postgres instance is not editable.

Therefore, I tried to create a new group. At this point I discovered that postgres is not listed as an available engine. I selected mysql instead just to see whether I could add options. It looks like I can add a security group to a mysql instance, but NOT a postgres instance.

Do postgres instances not support this expected option?

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

When your RDS instance is not in a VPC, then your RDS instance is associated with an RDS security group. Those security groups are controlled by the “Security Groups” section in the RDS console. From there, you can add EC2-Classic security groups for access:

  1. Select your RDS security group
  2. Select “EC2 Security Group” for the “Connection Type”
  3. Select this or another AWS account and fill in the other AWS account number if necessary
  4. Select or fill in the correct security group.
  5. Click “Authorize”

When your RDS instance is inside a VPC, then your RDS instance is associated with a VPC security group. Those security groups are controlled by the “Security Groups” section in the VPC console. From there, you can add other VPC security groups for access:

  1. Select your VPC security group
  2. Select the “Inbound Rules” tab
  3. Click “Edit”
  4. Add a new rule, select your protocol and port range. For “Source”, type or select your security group. Only VPC security groups within the same VPC can be used for this purpose.
  5. Click “Save”

Note, when selecting the security group, depending on the browser you’re using, the list may only appear once focus is in the “Source” edit box. It may also only appear if you start typing. Also, it may not appear at all. If this is the case, type in the source VPC security group’s identifier (eg. sg-12345678).