I've been trying to use RDS within a VPC, with the public IP enabled, and for some reason I can't figure out why one VPC (prod) has issues, whereas the other (non-prod) works just fine. I set up non-prod a few months ago, and don't recall anything fancy I did -- there are no network firewalls within this tenant either.
Similarities:
Differences:
I was looking to do some sort of logging for the VPC, as answered in this question, but I don't think it's showing up, potentially because the RDS instance has a public IP which bypasses traveling within the VPC?
Questions for sanity:
(1) is my assumption about public IP correct, and this wouldn't show up in the cloudwatch logs due to that?
(2) are there any other things I could check in terms of logs?
EDIT: by default, Security Groups on VPCs have a source such as sg-015ed4c212353asd7c / default. This self-reference to all things within the sec group is the rightmost column and sometimes hard to see, but is what the rule applies to. If you need to open up traffic to all IPs, this needs to be set to 0.0.0.0/0. If you want just your IP, you can do A.B.C.D/32.
(1) is my assumption about public IP correct, and this wouldn't show up in the cloudwatch logs due to that?
No, your assumption is wrong. If you capture all (rejected and accepted) traffic then traffic to and from your public IP entering and leaving your VPC will be logged.
(2) are there any other things I could check in terms of logs?
Nothing springs to mind - your VPC flow logs are key here and should tell you where to look next.