Publicly accessing AWS RDS from outside VPC

3
votes

I have a VPC configured with 3 X public and private subnets and an IGW for the public, NAT Gateway for the private.

When I create an RDS instance, I flag it as publically available. When I try to access the RDS endpoint, my connection fails.

I have created a security group to allow all traffic: 0.0.0.0/0, my VPC allows traffic coming from my network.

If I place my RDS in the public subnet, then I can connect as the IGW allows the connection. But when it is placed in the private subnet, the connection fails?

I have reviewed a fair bit of material on AWS and forums - but I cannot seem to finalise the connection. Is there something I am missing in the configuration?

Any help would be greatly appreciated.

Cheers.

1
amazon-web-servicesamazon-rdsamazon-vpc
When you deploy it in private subnet, inbound connections from the internet cannot reach the private subnet and rds/ec2 instances in it. This is done usually for further hardening the security in your network setup. So placing in private subnet and not able to access from outside is expected behavior or either I'm not getting the question correctlyAshan
Hi @ashan, for best practices (at least from what I have read) it should be placed in a private subnet with the public accessibility flag set to true. I have also set an NAT Gateway with a EIP attached.matoneski
Even you apply publicaly accessible flag, if you place rds instance in private subnet its not accessible from outsideAshan
Were you able to solve the issue?Ashan
Yes I was, thank you @ashanmatoneski

1 Answers

5
votes

After looking into setting up an RDS instance with a connection outside the VPC to a client/application, I came across the following:

AWS suggests the following connections to an RDS:

  1. An EC2 instance in the Same VPC
  2. An EC2 instance in a different VPC
  3. An EC2 instance not in a VPC
  4. A client application through the Internet

Without using an EC2, you would have to place the RDS in a public subnet with an Internet Gateway attached and security group set up for incoming traffic.

Here is a reference link for you - A DB Instance in a VPC Accessed by a Client Application Through the Internet

Client to RDS