I cannot connect to Amazon managed Cassandra (Keyspaces) from my EC2 instance. The EC2 instance is in a private subnet of a VPC with a VPC endpoint for Keyspaces.
EC2 outbound rules:
All TCP 0.0.0.0/0
VPC Endpoint inbound rules:
Custom TCP TCP 9142 0.0.0.0/0
VPC Endpoint outbound rules:
Custom TCP TCP 9142 0.0.0.0/0
These rules might actually be too permissive.
C# driver error:
Cassandra.NoHostAvailableException:
All hosts tried for query failed (tried 10.16.192.201:9142:
TimeoutException 'The timeout period elapsed prior to completion of SSL authentication operation.'; 10.16.224.203:9142:
TimeoutException 'The timeout period elapsed prior to completion of SSL authentication operation.')
I can SSH into the EC2.
The DNS seems correct:
$ nslookup cassandra.eu-west-2.amazonaws.com
Server: 10.16.0.2
Address: 10.16.0.2#53
Non-authoritative answer:
Name: cassandra.eu-west-2.amazonaws.com
Address: 10.16.192.201
Name: cassandra.eu-west-2.amazonaws.com
Address: 10.16.224.203
I cannot curl the endpoint (timeout):
$ curl cassandra.eu-west-2.amazonaws.com:9142
And Telnet:
$ sudo yum -y install telnet
$ telnet cassandra.eu-west-2.amazonaws.com
Trying 10.16.192.201...
^C
# Gave up after 60s
The security group for the VPC endpoint allows 9142 traffic to/from anywhere. The security group for the EC2 instance allows egress to anywhere.
How can I connect to Cassandra?
Update
Adding the VPC endpoint to the public subnet I can now do:
$ telnet cassandra.eu-west-2.amazonaws.com 9142
Trying 10.16.224.203...
Connected to cassandra.eu-west-2.amazonaws.com.
Escape character is '^]'.
Update
I can connect if the certificate revocation check is disabled.
sslOptions.SetCertificateRevocationCheck false
This makes me think that the issue is the connectivity from the EC2 to wherever the CRL is hosted. However, I don't want to move my EC2 to a public VPC, so what is a good strategy here?
question from:
https://stackoverflow.com/questions/65923843/amazon-cassandra-connection-timeout-on-ec2-instance-elastic-beanstalk 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
