6

I am new in AWS VPC. I have question about how to connect mySQLworkbench to RDS in AWS private subnet.

I use VPC wizard to create scenario 2 : VPC with public and private subnets. From a lot of blogs and forums, most of the people recommend the database should be in private subnet, so I created the database in private subnet. I also created NAT gateway (not the instance). Is that anyway I could use mySQLworkbench from public (any) network to connect to the database in private subnet?

Thanks, Angela

Angela Chan
  • 171
  • 1
  • 4
  • 2
    You would have to create an EC2 instance in your public subnet, and use SSH tunneling to reach the RDS server from your local computer. http://stackoverflow.com/questions/19129428/connecting-to-amazon-rds-instance-through-ec2-instance-using-mysql-workbench – Mark B Sep 20 '16 at 21:35
  • Looks I need a instance anyway. Thanks Mark. – Angela Chan Sep 22 '16 at 13:06

2 Answers2

4

I also followed the Scenario 2 in the AWS Documentation without the NAT parts. But now I can't access the RDS instance from my computer because RDS is in a private subnet.

To solve the accessibility problem I got the idea from this tutorial. I actually did not follow it, so I cannot recommend it.

What I actually did was:

1) I created an EC2 instance and gave it an ellastic IP.

2) Then I allowed the DB to receive traffic from this instance (this was already defined on the AWS tutorial, on the DB server Security Group).

3) Then I allowed an SSH connection from my computer to the EC2 instance.

4) Finnaly I was able to connect to the DB using MySQL WorkBench by establishing a connection "Standard TCP/IP over SSH"

The good thing is that this solution can be achieved using only Free Tier resources (at the time of writing) AFAIK.

jose
  • 220
  • 1
  • 12
3

Use VPN solution such as OpenVPN.

  • Configure Openvpn server in public subnet.
  • Push route of private subnet in server configuration
  • Adjust the private route table to pass the vpn traffic through vpn server
  • Connect to vpn using client configuration from your PC.
  • Use Mysql workbench to connect to your DB instance

Other way as suggested previously, you can configure ssh bastion host and then use it as jump server to ssh into db instance. Accordingly configure mysqlworkbench connection to reach db

mahesh duvvuru
  • 31
  • 4
  • 1
    "- Adjust the private route table to pass the vpn traffic through vpn server" - can you provide more specifics on this line? thanks! – BatteryAcid Mar 06 '17 at 15:40
  • This worked for me. The key was making sure the database's security group allowed Postgres access from the elastic IP of the NAT gateway associated with the public subnet that the OpenVPN instance was in. thanks – BatteryAcid Mar 06 '17 at 23:42
  • @BatteryAcid I followed mahesh duvvuru steps and made sure to update the security group so it allowed the traffic as you stated but I'm still unable to connect to the database, I'm thinking of a server configuration problem or a DNS resolution since the RDS doesn't have a private IP(I have another instance on this subnet and I'm able to connect with the private IP), do I need to configure anything besides the private subnet I want to reach? – FelipeM Nov 22 '17 at 17:22
  • @FelipeM So I just checked my configs, my database security group has an inbound role for PostgreSQL from the VPN's security group. Also, my VPN EC2 instance and Database are in the same availability zone (VPN is public and DB private subnet), not sure that makes a difference. – BatteryAcid Nov 22 '17 at 17:38
  • @BatteryAcid Thank you for answering , I have it exactly like you, availability zone and subnet configuration, the only difference I'm seeing is that you use Posgres and I use Mysql. Could I ask you when you connect through Workbench do you use the Private IP or the endpoint name that RDS provides? – FelipeM Nov 22 '17 at 17:54
  • @FelipeM definitely use the DNS listed under Endpoint in the RDS instance details. – BatteryAcid Nov 22 '17 at 18:00
  • 1
    I was finally able to connect to my RDS instance, It turns out that workbench was resolving the DNS in my local network not the VPN and being blocked, I changed the option "Should client Internet traffic be routed through the VPN?" to YES and now everything is working as a charm an resolving the private IP using the DNS. Thank you so much @BatteryAcid and mahesh duvvuru Hope this little discussion help somebody else. – FelipeM Nov 22 '17 at 20:49
  • where can I see that "should client internet traffic be routed.." option? @FelipeM – Mayowa Daniel Jan 06 '23 at 07:10