In this step by step how-to we are going to setup a private RDS instance in the default VPC and a bastion host to open an access to the RDS instance from the Internet without the need of a VPN connection.
VPCs are very powerful in securing your cloud infrastructure but they are also making harder to connect to an instance from outside the VPC to import or backup data or for maintenance. We are going to see how to access an AWS RDS instance remotely.
- Use the default VPC.
- Create a new private (not publicly accessible) RDS instance in the default VPC.
- Create a new Linux bastion host in the default VPC.
Select the DB engine. For this example we will use MySQL. If you use a different engine, steps will be the same, only the port will differ.
Be sure to select No to .
Launch the DB creation and navigate to the EC2 console. On the left pane select security groups:
You should see a newly created security rule called ‘rds-launch-wizard’, select it.
In the inbound tab, select the source for MySQL TCP to anywhere (it will be accessible only inside the VPC).
Note: In production you should restrict the source by IP address (allow only instances that need to access RDS for added security).
Because the Amazon RDS instance is not publicly accessible, you won’t be able to access it from outside (from Internet).
You have different options to get access to the RDS instance like creating a VPN or adding a bastion host. We’ll choose the latter one because it’s quick to setup and we don’t have to use a VPN client.
Choose the cheapest option, like a t2.nano. This instance will only be used to ssh into the VPC.
For this demo we will open 22 to the world but in reality (source of the security group for TCP 22).
Select Standard TCP/IP over SSH.
SSH Hostname : Enter your bastion host public DNS
SSH username: ec2-user
SSH Key : Select the bastion private key.
MySQL Hostname: Enter your RDS DNS name
MySQL port : 3306
Username: Your DB username created during the RDS launch wizard.
If it’s your first SSH connection to the bastion host instance from MySQL Workbench, it will ask to add a SSH Server fingerprint, click on
You should have a success message telling that MySQL Workbench is able to connect to the Amazon RDS instance.
Finally you can save and open a connection to the MySQL database and list all databases, tables. Etc..
In this example we used the default VPC to simplify the steps. In a real environment your RDS instance will reside in a private subnet and the bastion host should be in the public subnet. The only difference is to configure an ACL to allow access from the bastion host to the private subnet on port 22 (for ssh).
If you have any questions don't hesitate to post a comment.comments powered by Disqus