How to open the MySQL port only to Amazon RDS for replication?

Question

I have a MySQL database on a dedicated server, that I want to replicate to Amazon RDS to always have an up-to-date backup.

For this, Amazon RDS needs to be able to connect to my master MySQL server.

I do not want to open the MySQL port 3306 to the entire world, as even though MySQL has its own permissions, I consider it an extra security risk if a security issue gets discovered in MySQL.

So I want to add a rule to iptables to allow all connections from *.rds.amazonaws.com. But as far as I understand it, even though iptables allows a host name to be specified instead of an IP address, it's resolved when the rule is created, not when the packet is checked.

And because of the way RDS is designed, the IP address behind a RDS instance's host name might change during its lifetime, so this is not a good solution.

What alternatives do I have to only open my MySQL server to RDS?

Did you ever get anywhere with this, other than relying upon mysql's authentication? Thanks. — ChrisW, Apr 24 '17 at 16:38
Yes, I ended up adding the full RDS host name to the iptables rule. The only drawback is that whenever the host name changes, you need to update the iptables rule. A good thing to do is to set up a replication event subscription on RDS to get updated by email if for any reason RDS cannot connect to your master. — BenMorel, Apr 25 '17 at 06:24
Thanks for getting back to me. And good tip about the changing host name. Hopefully won't be an issue for us as we're replicating in order to migrate our DB to RDS (away from a bare-metal server), and this *should* happen before a hostname change. — ChrisW, Apr 25 '17 at 08:13
I have a very similar problem. I run two AWS RDS MySQL servers, where one is master and the other is slave. However, they are on different user accounts, and neither of us belong to any organization, so the instances can't be placed in the same security group. — Magnus, Nov 11 '19 at 17:53

score 1 · Answer 1 · edited Apr 13 '17 at 12:37

Here is a link to a Unix & Linux Stack Exchange question: UFW: Allow traffic only from a domain with dynamic IP address

TCP/IP-level blocking might not work well with a dynamic IP address. Although the accepted answer mentions a script, it might be error-prone. AWS does post a list of IP ranges, but this can change over time.

Unfortunately, your best option may be user authentication in MySQL. You can limit privileges by user AND hostname: Specifying Account Names.

score 0 · Answer 2 · answered Dec 05 '15 at 17:38

0

I believe the most correct course of action would be to use a VPC Security Group. You can write a security group to only allow TCP traffic on port 3306 from other instances that have that security group:

If you have an instance that you actually want to be reached publicly, then add another security group that lists "0.0.0.0/0" as the source for port 3306. That way, both rules will overlap.

answered Dec 05 '15 at 17:38

thoughtarray

139
1
3

Unfortunately, the dedicated server hosting the MySQL database in not on EC2! – BenMorel Dec 05 '15 at 18:00
Oh, that's interesting. Are you saying that you have a dedicated instance through AWS? If that is the case, is the host even in a VPC subnet? – thoughtarray Dec 05 '15 at 18:06
No, I mean that I have bare metal server somewhere else, and I'm just using RDS as a replication slave for real-time backup. – BenMorel Dec 05 '15 at 18:14

How to open the MySQL port only to Amazon RDS for replication?

2 Answers2