Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
209 views
in Technique[技术] by (71.8m points)

Amazon Cassandra connection timeout on EC2 instance (Elastic Beanstalk)

I cannot connect to Amazon managed Cassandra (Keyspaces) from my EC2 instance. The EC2 instance is in a private subnet of a VPC with a VPC endpoint for Keyspaces.

EC2 outbound rules:

All TCP 0.0.0.0/0

VPC Endpoint inbound rules:

Custom TCP  TCP 9142    0.0.0.0/0

VPC Endpoint outbound rules:

Custom TCP  TCP 9142    0.0.0.0/0

These rules might actually be too permissive.

C# driver error:

Cassandra.NoHostAvailableException: 
  All hosts tried for query failed (tried 10.16.192.201:9142: 
    TimeoutException 'The timeout period elapsed prior to completion of SSL authentication operation.'; 10.16.224.203:9142: 
      TimeoutException 'The timeout period elapsed prior to completion of SSL authentication operation.')

I can SSH into the EC2.

The DNS seems correct:

$ nslookup cassandra.eu-west-2.amazonaws.com 
Server:     10.16.0.2
Address:    10.16.0.2#53

Non-authoritative answer:
Name:   cassandra.eu-west-2.amazonaws.com
Address: 10.16.192.201
Name:   cassandra.eu-west-2.amazonaws.com
Address: 10.16.224.203

I cannot curl the endpoint (timeout):

$ curl cassandra.eu-west-2.amazonaws.com:9142

And Telnet:

$ sudo yum -y install telnet

$ telnet cassandra.eu-west-2.amazonaws.com 
Trying 10.16.192.201...
^C 

# Gave up after 60s

The security group for the VPC endpoint allows 9142 traffic to/from anywhere. The security group for the EC2 instance allows egress to anywhere.

How can I connect to Cassandra?


Update

Adding the VPC endpoint to the public subnet I can now do:

$ telnet cassandra.eu-west-2.amazonaws.com 9142
Trying 10.16.224.203...
Connected to cassandra.eu-west-2.amazonaws.com.
Escape character is '^]'.

Update

I can connect if the certificate revocation check is disabled.

sslOptions.SetCertificateRevocationCheck false

This makes me think that the issue is the connectivity from the EC2 to wherever the CRL is hosted. However, I don't want to move my EC2 to a public VPC, so what is a good strategy here?

question from:https://stackoverflow.com/questions/65923843/amazon-cassandra-connection-timeout-on-ec2-instance-elastic-beanstalk

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I think you need a key to connect to Cassandra as per the documentation Using a Cassandra .NET Core Client Driver to Access Amazon Keyspaces Programmatically

$client = new-object System.Net.WebClient
$client.DownloadFile("https://www.amazontrust.com/repository/AmazonRootCA1.pem","path_to_fileAmazonRootCA1.pem")

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...