Improved Question: Scenario:
I have two VPCs: vpc1 and vpc2 connected through an established VPC peering connection. A service runs within vpc1 and needs to access an RDS database in vpc2.
Goal:
Grant secure access to the RDS database in vpc2 from the service in vpc1 solely using security groups.
Current Approach:
Vpc:
const securityGroup = new ec2.SecurityGroup(this, 'mysg', {
vpc,
});
const fargateService = new ApplicationLoadBalancedFargateService(this, 'MyService', {
cluster,
taskImageOptions: {
...,
},
cpu: 512,
memoryLimitMiB: 1024,
taskSubnets: {
subnets: vpc.selectSubnets({ subnetType: ec2.SubnetType.PRIVATE_WITH_NAT }).subnets,
},
loadBalancer: lb,
certificate,
securityGroups: [securityGroup],
});
VPC2:
const mySG = ec2.SecurityGroup.fromLookupByName(
this,
'DbAccessSecurityGroup',
'PlatformServiceSecurityGroup',
legacyVPC // vpc1
);
const dbSecurityGroup = new ec2.SecurityGroup(this, 'DbSecurityGroup', {
vpc,
});
dbSecurityGroup.addIngressRule(mySG, ec2.Port.tcp(5432), 'Allow access');
new rds.DatabaseInstance(this, 'mydb', {
...,
securityGroups: [dbSecurityGroup],
});
VPC peering is already setup in another stack
Is it possible to achieve this solely using security groups, or are there any other recommended approaches for secure communication across VPCs?