Setting up a VPC to connect to Amazon RDS data stores over JDBC for Amazon Glue - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up a VPC to connect to Amazon RDS data stores over JDBC for Amazon Glue

To enable Amazon Glue components to communicate, you must set up access to your Amazon RDS data stores in Amazon VPC. To enable Amazon Glue to communicate between its components, specify a security group with a self-referencing inbound rule for all TCP ports. By creating a self-referencing rule, you can restrict the source to the same security group in the VPC, and it's not open to all networks. The default security group for your VPC might already have a self-referencing inbound rule for ALL Traffic.

To set up access for Amazon RDS data stores

  1. Sign in to the Amazon Web Services Management Console and open the Amazon RDS console at https://console.amazonaws.cn/rds/.

  2. In the left navigation pane, choose Instances.

  3. Choose the Amazon RDS Engine and DB Instance name that you want to access from Amazon Glue.

  4. From Instance Actions, choose See Details. On the Details tab, find the Security Groups name you will access from Amazon Glue. Record the name of the security group for future reference.

  5. Choose the security group to open the Amazon EC2 console.

  6. Confirm that your Group ID from Amazon RDS is chosen, then choose the Inbound tab.

  7. Add a self-referencing rule to allow Amazon Glue components to communicate. Specifically, add or confirm that there is a rule of Type All TCP, Protocol is TCP, Port Range includes all ports, and whose Source is the same security group name as the Group ID.

    The inbound rule looks similar to this:

    Type Protocol Port range Source

    All TCP

    TCP

    0–65535

    database-security-group

    For example:

    An example of a self-referencing inbound rule.

  8. Add a rule for outbound traffic also. Either open outbound traffic to all ports, for example:

    Type Protocol Port range Destination

    All Traffic

    ALL

    ALL

    0.0.0.0/0

    Or create a self-referencing rule where Type All TCP, Protocol is TCP, Port Range includes all ports, and whose Destination is the same security group name as the Group ID. If using an Amazon S3 VPC endpoint, also add an HTTPS rule for Amazon S3 access. The s3-prefix-list-id is required in the security group rule to allow traffic from the VPC to the Amazon S3 VPC endpoint.

    For example:

    Type Protocol Port range Destination

    All TCP

    TCP

    0–65535

    security-group

    HTTPS

    TCP

    443

    s3-prefix-list-id