Running Amazon Linux 2, installed Apache, PHP, PHP-MySQL, and WordPress. This AMI is using an AWS security group called WebDMZ, say.
Created a MySQL DB in Amazon RDS which also uses AWS security group WebDMZ, I copied db_name, db_user, db_pass, db_hostname to /var/www/html/wp-config.php.
@ www.example.com/wp-admin/install.php I receive:
Error establishing a database connection. Connection timed out
If both Amazon Linux 2 & MySQL are in the same security group, shouldn't they be able to communicate with each other?
Help appreciated.
Edit, I found if I added an Inbound rule to allow MySQL connections from anywhere, the install proceeded, but doubt this is a safe way to go?
Nope.
You have to explicitly permit access for members of the security group. Security Groups can open access based on IP ranges (xx.xx.xx.xx/xx) or access from other security groups. That's what you want to do.
Say that your
WebDMZgroup id issg-1234abcd- you'll have to add a rule that opens access to TCP port 3306 from groupsg-1234abcd. Simply type that into the field that usually asks for a IP address.By self-referencing the security group in the rule you open access to the members of the group.
Hope that helps :)
You are correct, that is not safe.
Your inbound rule should only allow your web server to connect in on the MySQL port (identified by the internal IP), no other server should be able to communicate with the database on that port (unless you start using it for other services).
The proper configuration should be that your Wordpress server faces the world, but then uses an internal VPC to communicate to the MySQL server. This keeps the database isolated from the Internet.