2

I have a database set up (use RDS) in a private subnet, and a bastion is set up in front of it in a public subnet. The traditional way to access this database from local laptops is to set up an ssh tunnel on that bastion/jumpbox and map the database port to local. But this is not convenient to development because we need to set up that tunnel everytime before we want to connect. I am looking for a way to access this database without setting up an ssh tunnel first. I have seen a case where the local laptop directly uses that bastion's ip and its 3306 port to connect to the database behind. I have no idea how it is done.

BTW, in that case I saw, they don't use port forwarding because I didn't find any special rules in the bastion's iptable.

Z.Wei
  • 3,658
  • 2
  • 17
  • 28
  • This might offer an interesting alternative: [New – Port Forwarding Using AWS System Manager Session Manager | AWS News Blog](https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/) Basically, they can tunnel via AWS System Manager Session Manager. – John Rotenstein Apr 15 '20 at 01:58

1 Answers1

1

There are several ways to accomplish what you are trying to do, but without understanding the motivation fully it is hard to say which is the "Best Solution".

SSH Tunneling is the defacto standard of accessing a resource in a private subnet behind a public bastion host. I will agree that SSH Tunnels are not very convenient, fortunately, some ide's and many apps are available to make this as easy as a click of a button once configured.

Alternatively, you can set up a client to site VPN to your EC2 environment which would also provide access to the private subnet.

I would caution anything you do which proxies or exposes the DB cluster to the outside world in a naked way such as using IP tables, Nginx, etc. should be avoided. If your goal is this, then the correct solution is to just make the DB instance publicly exposed. But be aware any of these solutions which do not make use of tunneling in (such as VPN or SSH Tunnel) would be an auditory finding, and open your database to various attack vectors. To mitigate it would be recommended that your security groups should restrict port 3306 to the public IP's of your corporate network.

James Powis
  • 609
  • 4
  • 16
  • In the case I saw, they don't use VPN. I am curious how they make the jumpbox as the host of the database so they can access the database using that jumpbox's ip. There are security groups and network acl set up before that jumpbox so security is not a concern there. – Z.Wei Apr 13 '20 at 20:41
  • The best way to figure out would be to run netstat on the bastion host and figure out what PID is listening on 3306. That will give you all the answers. – James Powis Apr 13 '20 at 20:45
  • Sorry just saw your comment. I tried `sudo netstat -ltnp | grep -w ':3306'`, but it returns nothing, which means there is no special process running for this. – Z.Wei Apr 17 '20 at 16:12
  • I almost forgot this post. I finally used haproxy to achieve this. Still select this response as an acceptable answer since it provides a good view on possible solutions, and I chose the one similar to use Nginx. – Z.Wei Jan 18 '21 at 19:09