问题描述
我目前正在尝试通过DMS设置从RDS(MySQL)到Redshift的复制.RDS的终结点正在运行,而Redshift的终结点没有运行.这是我的设置:
I'm currently trying so setup a replication from RDS (MySQL) to Redshift via DMS. The endpoint to RDS is working, but the one to Redshift is not. Here is my setup:
VPC
RDS,DMS和Redshift在同一VPC中运行并共享相同的子网.
RDS, DMS, and Redshift are running in the same VPC and share the same subnets.
角色
我实现了DMS所需的角色( dms-vpc-role
, dms-cloudwatch-logs-role
)和Redshift的特定角色( dms-access-for-endpoint
).
I implemented the required roles for DMS (dms-vpc-role
, dms-cloudwatch-logs-role
) and the specific one for Redshift (dms-access-for-endpoint
) according to the AWS documentation.
安全组
安全组设置也相同.RDS和Redshift都有两个安全组(空组和引用空组的入口).入口安全组的入站规则如下,缺省情况下,出站规则允许所有出站通信.
The security group setup is the same as well. Both RDS and Redshift have two security groups (empty one and ingress that references the empty one). Inbound rules of the ingress security group as follows, outbound rules default to allow all outgoing communication.
RDS:
Redshift:
复制实例设置
复制实例具有两个安全组.我认为复制实例本身将需要一个安全组,但是,我无法创建一个工作组.
The replication instance has both security groups. I figured that the replication instance itself will need a security group on its own, however, I cannot manage to create a working one.
写这篇文章之前我做了什么?
我已经测试了以下方案:
I have tested the following scenarios:
- 使用允许所有入站和出站流量的默认VPC安全组->两个端点都可以工作
- 创建了一个安全组,该安全组的TCP 3306(RDS)和5439(Redshift)的入站规则具有与上述RDS和Redshift安全组的连接-> RDS有效,Redshift不起作用
我收到以下错误,我将其解释为DMS无法调用任何形式的Redshift.
And I'm getting the following error that I interpret as DMS not being capable of calling Redshift of any sorts.
Test Endpoint failed: Application-Status: 1020912, Application-Message: N/A, Application-Detailed-Message: N/A
总体而言,它与默认VPC安全组一起工作的事实使我得出以下结论:(1)这是网络问题,(2)对复制实例安全组进行简单更改很可能会胜任.但是,经过无数次迭代,我不知道这里缺少什么.
Overall, the fact that it is working with the default VPC security group leads me to the conclusion that (1) it is a network issue and (2) that a simple change to the replication instance security group will probably do the job. However, after countless iterations, I have no idea what I'm missing here.
所有想法和建议均受到高度赞赏!
All ideas and suggestions are highly appreciated!
推荐答案
您的方案的典型安全组配置应为:
A typical Security Group configuration for your scenario should be:
- AWS DMS实例(
DMS-SG
)上的安全组,该安全组允许所有出站"(这是正常的默认设置)以及使用DMS所需的任何入站 - Amazon RDS实例(
RDS-SG
)上的安全组,允许来自DMS-SG
的端口3306上的入站流量 - Amazon Redshift实例(
Redshift-SG
)上的安全组,允许来自DMS-SG
的端口5439上的入站流量
- A security group on the AWS DMS instance (
DMS-SG
) that permits All Outbound (which is the normal default), plus whatever inbound you need to use DMS - A security group on the Amazon RDS instance (
RDS-SG
) that permits inbound traffic on port 3306 fromDMS-SG
- A security group on the Amazon Redshift instance (
Redshift-SG
) that permits inbound traffic on port 5439 fromDMS-SG
也就是说,DMS实例应具有其自己的安全组,该安全组可以从其他安全组引用.安全组分别应用于每个实例.具有相同"安全组的实例不会获得任何特殊的相互通信能力,除非通常将其专门添加到安全组中.
That is, the DMS instance should have its own security group that can be referenced from the other security groups. Security Groups apply to each instance individually. Instances that have the 'same' security group do not gain any special ability to communicate with each other unless it is specifically added as a rule to the security group.
这篇关于到Redshift的AWS DMS终端节点连接不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!