3

We have a production database server which at the moment is not publicly accessible, has no public IP address, and sits in a private VPC subnet.

At the moment it is only accessible from applications we have running on EC2's in the same VPC.

We now have a need to allow limited remote access to this database to another vendor, outside our Amazon account and VPC.

I have a pre-defined list of IP addresses which will need access.

I'm trying to figure out the best way to do this, with minimal interruption to any of our other applications running within our VPC.

I could change the database instances to use public IP's, but having tried this on a test database, I can see that the EC2's then start resolving the instance endpoint to the public address. I'm guessing this will mess up our VPC routing rules and security groups, and potentially break access for our applications.

What I would like, is for our internal applications to continue to access the database exactly as they always have, via the private IP addresses, but somehow give the remove application a public address at which it can access the database.

Apparently the 3rd party application cannot use an SSH tunnel, or VPN. It needs a direct TCP connection to a public IP address.

I haven't been able to find any documentation at Amazon for this type of setup.

user1751825
  • 365
  • 6
  • 13
  • Double check the requirement about public IP addresses. The application would have to hard code knowledge of IP addresses to know the difference between public and private IP addresses AND that application would not work on normal internal networks (which use private IP addressing). I recommend setting up a VPN such as OpenVPN in your public subnet. You then have much better control over security. Consider opening your database to the public Internet as a last choice. There is simply no need to do that for a vendor. They just need to learn how to do things securely and properly with VPNs. – John Hanley Jul 14 '18 at 05:59
  • OpenVPN would be nice, but unfortunately it's not an option for the remote end in this case. At this stage I'm looking at doing it with a reverse proxy, possibly nginx, to forward requests to the private RDS endpoint. – user1751825 Jul 14 '18 at 06:30

2 Answers2

1

If you don't have any grants or acl based on source IP address in mysqld, in that case just creating a aws micro instance, and setup port forwarder on it, like rinetd, to forward incoming connections destined to mysqld port from whitelisted IP addresses to your RDS instance.

abbe
  • 356
  • 1
  • 12
1

Just in case it's useful for anyone else. This is how I ended up doing it...

1) Launched a small EC2 in my private subnet.

2) Configured a minimal nginx instance.

The package version didn't have the streaming module included, so I built one like so...

./configure --with-stream --without-http_rewrite_module

This instance will only be used for this specific purpose, so I didn't need any other nginx modules.

3) I then setup my nginx.conf like so...

events {
    worker_connections  1024;
}

stream {

        upstream rds_db_1 {
                server [aurora_endpoint_1]:3306;
        }
        upstream rds_db_1 {
                server [aurora_endpoint_2]:3306;
        }
...

        server {
                listen     33061;
                proxy_pass rds_db_1;
        }
        server {
                listen     33062;
                proxy_pass rds_db_2;
        }
...
}

In my case I had a number of connections to proxy, so I used custom high port numbers to distinguish each connection (33061, 33062, ...). These ports are totally arbitrary.

If you're only doing one connection, then you could just have nginx listen on the normal mysql port number.

4) Setup a network load balancer NLB in a public subnet, to forward requests to the instance.

I could also have just put the proxy instance in the public subnet, and skipped the load balancer, but this seemed like a more secure way to do it.

I then setup the security group for the instance to allow requests from the VPC CIDR (for the NLB->instance healthcheck), and from the vendors external IP's.

Network load balancers cannot be configured with security groups directly, so the security rules need to be configured at the target instance directly.

5) I created custom mysql users specifically for the vendor.

6) Finally I setup a client-friendly DNS record to point to my NLB.

user1751825
  • 365
  • 6
  • 13