Connect Kubernetes container to RDS instance in separate VPC

Question

Connect Kubernetes container to RDS instance in separate VPC

I have a Kubernetes cluster running on Amazon EC2 inside my own VPC, and I'm trying to connect Dockerized services to an RDS database (which is in a different VPC). I computed the peering entries and the routing tables so that I could do this from minion machines:

ubuntu@minion1 :~$ psql -h <rds-instance-name> Password:

So everything works. The problem is that when I try to make this connection from inside a container managed by Kubernetes, I get a timeout:

 ubuntu@pod-1234 :~$ psql -h <rds-instance-name> …

To connect the minion, I configured a peer-to-peer connection, configured routing tables from Kubernetes VPC so that 10.0.0.0/16 (CIDR for RDS VPC) matches the peer-to-peer connection and updated the protection of the RDS instance to allow traffic to port 5432 from the address range 172.20.0.0/16 (CIDR for VPC Kubernete).

+4

docker amazon -vpc amazon-rds kubernetes

Ben straub Aug 12 '15 at 17:49

source share

2 answers

Have you also changed the source and target checks?

Since your instance will send and receive traffic for IP addresses other than that assigned to your subnet, you need to disable source / destination checks.

See image: https://coreos.com/assets/images/media/aws-src-dst-check.png

+1

preillyme Aug 13 '15 at 21:35

source share

Ben straub · Accepted Answer · 2015-08-19T21:53:34+0000

With the help of Kelsey Hightower, I solved the problem. Turns out it was a Docker routing problem. I wrote up the details in a blog post , but on the bottom line to modify the minions routing table as follows:

 $ sudo iptables -t nat -I POSTROUTING -d <RDS-IP-ADDRESS>/32 -o eth0 -j MASQUERADE

Connect Kubernetes container to RDS instance in separate VPC

More articles: