Accessing RDS through bastion host with port forwarding not working

0
votes

I'm trying to establish a port forwarding to my RDS in a private subnet via a bastion host in a public subnet with the following command:

ssh -A  -NL 3007:mydb3.co2qgzotzkku.eu-west-1.rds.amazonaws.com:3306 [email protected]

but cant get a connection to the rds instance.

The security group for the Bastion Host allows only SSH on port 22 from my IP

enter image description here

and the security group for the RDS allows traffic from the bastion hosts security group and SSH from my iP

enter image description here

Besides the ACL for the subnets are open to all traffic for TCP.

anybody a tip what is missing to get the tunnel running?

merci A

1
amazon-web-servicesportforwarding

1 Answers

0
votes

I think you are missing the port 3306 and 3307. Allow that port in the both security group and it will work.

As you said you are accessing the bastion via key-pair, your new command must be:

ssh -N -L 3007:mydb3.co2qgzotzkku.eu-west-1.rds.amazonaws.com:3306 [email protected] -i /path/to/key.pem

I would suggest removing A from the command as it Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.

Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.