Connect to private RDS instance

1
votes

I'm unable to connect to a private RDS instance into a private VPC. I have configured a Nat instance to grant internet access and I have installed and configured OpenVPN on it.

Actually I'm connected in vpn and I added the route for 10.0.0.0 ip addresses and configured with the gateway of the VPN server.

     10.0.0.0      255.255.0.0         10.8.0.5         10.8.0.6     36
     10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6    291

I have configured the security group of the Nat instance so that it will accept connections on port 3306 and the security group associated to the database to accept connections on port 3306 from the Nat Instance SG.

What am I missing? I know that probably it's something stupid

3
amazon-web-servicesamazon-rdsamazon-vpc

3 Answers

0
votes

You should use a Bastion Host here to connect to the RDS instance provisioned inside private subnet.

The use of NAT gateway is to forward traffic from nodes in private subnet to the internet. NAT gateway can't be used to access your instances in private subnet from Internet.

To allow two way communication i.e., Internet <==> Subnets, use Internet Gateways.

As a security recommended practice, always provision your RDS instances in private subnet (You already did it) and setup bastion host in your public subnets.

The security group to the RDS instance should allow traffic from the bastion host. Ideally you can ssh into your bastion host, and then connect to your RDS instance.

Hope this helps.

0
votes

If you launch a public instance in the same VPC as the private RDS, you should be able to connect using the RDS endpoint, port, username and password.

Also ensure that you are allowing your instance security group in your RDS security group.

Hope this helps,

Thanks,

0
votes

To connect with a private database you will need a 'jump host' also called 'bastion host' or any EC2 instance in a public subnet within the same VPC.

Follow Below Steps:

  1. Open the security group attached to the database, and add new rule as below:-

Type:MYSQL/Aurora, Protocol:TCP, PortRange:3306,
Source:securitygroupofEC2 (you can all security group by entering 'sg-')

  1. Open the security group attached to the EC2, and make port 22 is open. If not, add a new rule as below:-

Type:SSH, Protocol:TCP, PortRange:22, Source:MY IP

Now, you would be able to access DB from the EC2 CLI, if you wish to connect workbench then follow step 3.

  1. Open Workbench, Click New connection
- Standard TCP/IP over SSH
 - SSH Hostname : < your EC2 Public IP >  #34.3.3.1
 - SSH Username : < your username > #common ones are : ubuntu, ec2-user, admin
 - SSH KeyFile: < attach your EC2 .pem file>

 - MYSQL Hostname: <database endpoint name> #mydb.tbgvsblc6.eu-west-1.rds.amazonaws.com

 - MYSQL Port: 3306
 - Username : <database username>
 - Password: <database password>

Click 'test connection' and boom done!!