7

I am new to AWS and trying to set up and initialize an RDS instance. Since I have a newly created account, it does not support EC2-Classic, which (from what I understand) means that my RDS instance must be deployed into a private subnet in a VPC. However, once the RDS instance created, how can I connect to it from the outside world? I understand that I can connect to it from the public subnets in my VPC, so my application servers will be able to use the DB with no problem. However, I want to be able to say, fire up Squirrel or some other GUI client in order to initialize the schema, or add columns and tables as my application grows. How can I do this if it is required to live in a private subnet?

matt forsythe
  • 173
  • 1
  • 1
  • 4
  • You should still be able to connect to the RDS instance in the security group is set to allow connections from your IP. All that will designate that the subnet is private is that it does have an Internet Gateway. If it doesn't, and you don't want to set up a relay server to forward traffic, just create na IGW for that subnet. BTW, dev support is going to be your best $50/mo ever spent. – Travis Stoll Nov 30 '14 at 23:44
  • You can make RDS instances that you can connect from the outside world from. You just can't change it. Once private, always private. – Halfgaar Jul 13 '15 at 14:22

2 Answers2

11

One solution (but not the only solution!) is to use what's called a Bastion Host. A Bastion Host is an ultra-low-powered server that sits in your public subnet and is the only server that allows inbound SSH connections.

This server should be thoroughly hardened, and depending on your level of paranoia, there are a few techniques you can use to hide the fact that this server is listening for SSH connections at all. See, for example, http://www.portknocking.org/view/details. Of course, you don't need to harden it just to connect to your RDS instance.

Anyway, you can setup your EC2 Security Group rules as follows:

  • Bastion Host Security Group allows port 22 from your local IP only (so you can SSH into it, but no one else can)
  • RDS Security Group allows your incoming database connections on Port X (depends on your database) only from the Bastion Host

By the way, you can achieve "only from the Bastion Host" either by specifying the private IP address of your Bastion Host, or listing the security group name the Bastion Host uses.

Now you have two options from here:

OPTION #1: Set up local port forwarding as part of your SSH connection

For example, if you're on OS X or Linux, SSH into the bastion host and setup local port forwarding with:

ssh -l <bastion-host-username> -L <local-port-you-connect-to>:<rds-private-ip>:<rds:listening-port> <bastion-host-public-ip>

And let's say you're connecting to Postgres from an Ubuntu-based Bastion Host. It might look like this:

ssh -l ubuntu -L 5432:<rds-private-ip>:5432 <bastion-host-public-ip>

Your local machine is now listening on port 5432 and will forward any of those connections to <bastion-host-public-ip> which in turn will forward it to port 5432 on <rds-private-ip>

OPTION #2: Look for this feature in your Database Client

I know DBVisualizer supports this. I'm not sure about Squirrel. Basically, instead of setting up the local port forwarding manually using SSH, your SQL client handles this for you.

Josh Padnick
  • 289
  • 3
  • 9
  • 1
    It might be me being dim but I did get a bit confused with the comment "SSH into the bastion host and setup local port forwarding with". I took that to mean two separate actions of first ssh into the bastion host and then secondly run the port forwarding command. After a some head scratching and further reading I realised that the command does both these things and so it should be run on your local machine. This is the command that finally did the trick for me. Note I connect using my aws keypair file and I also added the verbose flag so I can see whats going on. ssh -i aws.pem -v -C -N -L 330 – glidester Jul 13 '15 at 14:12
  • 1
    Another useful tool -- deploy the bastion, do your work, tear the bastion down. Minimize the exposure time. – railsdog May 24 '17 at 18:07
0

This worked for me. Make sure you have psql client installed locally.

psql --host=myAwsDbEndpointUrl.ciqykqusf0nv.us-west-1.rds.amazonaws.com --port=5432 --username=myUserName --password --dbname=myDbName

When creating your db instance on aws, make sure to define the following:

  1. username
  2. password
  3. database name
  4. port number

I also had to create a security group for the VPC that the database was located in. After creating it make sure your db instance uses this for its security group. The security group has the following rules: 

inbound--> type:PostgreSQL, protocol:TCP port range:5432, source:0.0.0.0/0

outbound--> type:All Traffic, protocol:All, port range:all, destination:0.0.0.0/0
Tim Siwula
  • 107
  • 3