VPC Connection to multiple subnets (Aurora cluster)

One of my primary data sources is a private two-node Aurora cluster in a VPC. The nodes are in different subnets, which means that sometimes the RO-instance is in -1a and sometimes -1b. I can only specify a single subnet in the QS VPC Connections, so refreshes fail if the nodes swap roles. Unfortunately, and for reasons unknown, the nodes swap roles fairly often (1-2/week).

Is there any reasonable work-around I’m not thinking of? The only “solution” I have is to edit the data source after a failure and switch it to the other VPC Connection, then redo the refreshes.

Thanks for any insight,
Tim

1 Like

In theory, once you set up the VPC connection in QS, QS creates a network interface ENI in the specified subnet and all IPs within the VPC (regardless of the subnets) should be reachable as the route table has a local path. Assuming Security Groups are properly configure. Did you follow this recommendations? Are you mapping to the DNS name of the read endpoint of RDS, or specifically to each node? See: Create a private connection from Amazon QuickSight to Redshift or RDS

Let us know if you were unable to resolve the issue

Thanks, Pablito, and sorry for the delayed response. I went back through everything and discovered one missing part of the setup–adding the QS SG to the inbound rules on the RDS SG–which would explain why it wasn’t able to go cross-subnet. (The existing inbound rule allowing the VPC’s CIDR was just enough to allow same-subnet traffic for a partially-working setup.)

I can’t verify the update was the full fix until the cluster swaps the instances’ roles again, but I’m confident it will be. Thanks again.

So the cluster swapped its instance roles again. Unfortunately, explicitly adding the SG to the outbound rules didn’t add any capability not already covered by the allowed CIDR of the VPC rule. Best I can tell, there’s no route between the two subnets that each of the Aurora cluster instances occupies.

So, when my QS VPC Connection is using the -1a subnet, it’s still unable to communicate with the instance that’s in -1b. And yes, the connection is defined to the cluster’s read-only endpoint, not the instance name. What’s evident in the instructions linked by pablito is that there’s never any mention of the possibility that the data source can move between subnets, as mine is doing when the cluster switches the instances roles.

Unfortunately, my network configuration skills are too limited to go mucking around with the route tables, not to mention my DevOps team wouldn’t be too happy. So, unless anybody has something safe and straightforward to check in that regard, I’ll continue to manually switch the subnet my QS VPC Connection is using.

Have you checked your QuickSight subnet outbound rules to make sure you are allowing cross-subnet routing?

Thank you for the suggestion. Unfortunately, my DevOps/AWS person isn’t wanting to change anything and is even viewing Quicksight’s direct VPC connection into the “database subnet” as a potential risk. I suppose this will continue to remain unresolved so long as AWS isn’t able to automatically configure the rules for cross-subnet Aurora clusters. :frowning:

I’ll mark as a feature request. Thanks