4

So I have previously asked this question over at stackoverflow but I was informed that I should ask it over here also since it seems to be more of a network based question. I did search serverfault for similar questions and came across this one from 2014 but I wanted to expand onto it.

So for a project that I am working on at my office, I have a .NET application that will be storing and retrieving data to/from an AWS RDS MySQL Server that I have setup. The problem that I have run into is that port 3306 is not open on my work's network. It works great when I am not on my company network so I know it is not an issue with the AWS RDS server. (for example, if I hotspot form my phone it works)

I have reached out to the networking department to see what they can do about opening this port. They asked me if there was a way to set a static IP to this AWS RDS Instance so they can add a firewall rule to allow port 3306 to only this static IP. They only want to open the port based on the server's IP address rather than open the port 3306 completely for security reasons they say. They said if they open the port 3306, it will be open for the whole office network and they can't open it just for just my computer's IP.

I did not see anywhere on the AWS Dashboard about setting a static IP for my RDS Instance. IT says that the reason behind needing a static IP is so that when the IP that is associated with the endpoint DNS that they provide changes, they wont need to adjust the firewall settings to accommodate this change.

1) Is it possible to set an IP to static on the RDS instance? (based on the link above, it doesn't seem possible but I wanted to ask anyways encase something has changed and it is now possible since the previous post was from 2014)

2) Is it possible to have the port open for only this specific DNS endpoint that AWS provides? My IT team is saying that it is NOT possible for them to open the port to a URL and that is has to be an IP (static so it doesn't change). Is this really the case or is there a way around this? Based on a response from my stackoverflow post, he mentions that it is possible by:

You can tell your IT team to create a firewall rule in port 3306 for the RDS instance URL and it will work fine.

Is there any extra information that I can provide to my IT Networking team to help steer them in the right direction if it really is possible? I feel like this has to be a pretty common task given the popularity of cloud hosted MySQL servers and that I can't be the only one with this issue?

Thank you!

iamdapro
  • 41
  • 1
  • 1
  • 3

3 Answers3

4

It sounds like you have a fairly locked-down network environment, which is disallowing outbound connections destined for port 3306. "Traditional" firewalls will only allow ACLs targeting IPs, not DNS names, so it sounds like the RDS URL will not work for you. These firewalls operate at layers 3 and 4, so they have no concept of DNS names, which are a layer 7 concept.

If your company is blocking connections to 3306 specifically, as it's a well-known port, it's possible they may allow you to open up connections to a different port. You could then recreate your instance to use that port rather than the default.

If the blockage is instead a blanket policy, implemented at layers 3 and 4, you may be out of luck for the moment. You could do a DNS lookup of your instance's IP address and use it in an ACL, but that address is subject to change.

Normally I would say to ask them to open connectivity just for your client system's IP address, but as you say, they rejected that already. I assume this is due to using DHCP to assign an address to your system, rather than a static IP. Perhaps you could request a static IP for your system, or you could run your application on a company server with a static IP. That would allow them to complete a one-to-many ACL that they may find acceptable.

phoebus
  • 8,380
  • 1
  • 31
  • 30
  • Thank you for the response. IT has mentioned that all of the outbound ports are open and that it is the inbound port being blocked. I am not too familiar with which one is exactly needed but correct me if i'm wrong, if it is being hosted by AWS, doesn't it only need the outbound port on my computer to be able to access it or does it need inbound also? If the server was hosted on my work network instead of by AWS, then it would need the inbound port? – iamdapro Jul 25 '17 at 19:11
1

An RDS instance doesn't have a fixed IP address, as this allows it to provide failover to other instances.

You could put an EC2 proxy server into your VPC, on any port you like, to send traffic to the RDS instance. This would be a TCP proxy that purely passed packets, which Nginx can do. I haven't tried it but it should work. Give the EC2 instance a static IP (Elastic IP in AWS terms), and Nginx can proxy to the RDS instance by host name. A t2.nano could be all you need, but a larger server with more network bandwidth could provide better performance if it gets a lot of traffic.

Don't forget to get the ephemeral port range opened as well. Basically inbound ports 32768 to 61000 need to allow traffic back from AWS.

I'm curious why you have an on-premise application with a cloud database. If you can run an application locally why don't you run the database locally? Or run both the application and the database in AWS? Multiple applications could lead to database inconsistency, deadlocks, or race conditions.

How To

You can read more about how to set up Nginx as a TCP proxy on their website. There's a guide on how to set up Tiny Proxy (which I've never heard of before) on AWS here.

You might be best off hiring an AWS consultant for a short time to help you with this, because you also need to consider security.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • I am still new to this whole world of cloud databases and that is part of the reason I went with an RDS approach so they do all of the work for me. So I am not too sure on how to properly do the EC2 proxy approach but I can look into it more. We have different teams across the globe that are accessing this database and to reduce latency, the a cloud based database is much faster based on our testing results. We currently have it set on a shared network drive but teams accessing it outside of the region that the database is stored see extremely slow queries due to the latency. – iamdapro Jul 25 '17 at 19:23
  • A more standard setup would be to install your application on a server in AWS, which then talks to the database. Depending on how many requests there are from the client to the app and the app to the DB would determine which is faster. Database consistency is a possible issue with multiple applications hitting the same database. I'll edit my question to add a little more information on the proxy. – Tim Jul 25 '17 at 19:35
  • So to clarify, it would be like setting up a virtual machine via an EC2 instance running windows where the application would be installed to and this application would then use the AWS RDS database or would it be a local file database such an Microsoft Access? And for the users of the application to access it, they would need to remote into the virtual machine and login with their own windows account (if that is possible) so multiple users can access it at the same time (maybe up to 5 or so concurrent users)? – iamdapro Jul 25 '17 at 19:47
  • If this is an Access front end to a MySQL database you're possibly better leaving it running locally with the database in RDS. Having to remote into an EC2 instance isn't very practical for users, and would likely be slower than running locally with the database in AWS RDS. My suggestion assumed it was a web application, which is what most apps are these days. To get the static IP you'd run an EC2 Linux instance with proxy software like Nginx or Tiny Proxy. – Tim Jul 25 '17 at 20:05
1

Tell your networking folks that AWS uses a dns name rather than an IP for failover reasons. Any firewall they're using in a corporate environment is capable of referencing a dns name rather than an IP, so they should be able to reference the endpoint DNS name as opposed to the IP.

If not, you can use haproxy on an ec2 instance with an elastic IP, but if this has a legitimate business use case I would recommend trying to push for them to use the dns name. Haproxy just adds one more point of failure.

Douglas Phillips
  • 36
  • 2
  • Appreciate this is a really old thread, but it's worth noting HAProxy doesn't have to be a point of failure. We do have such edge cases occasionally and we set up two (or more) HAProxy instances in different AZs - they can be really small - and use keepalived to pass a shared EIP between them, so you keep your high availability *and* have a static IP address to safelist on prem. – Greg Mar 22 '22 at 10:12