I have an RDS database in VPC A, that I'd like to share with an EC2 instance in VPC B.
How do I do so by giving access specifically ONLY to the database (especially given that RDS doesn't expose a static IP and rather a DNS endpoint)?
Asked
Active
Viewed 375 times
1 Answers
2
Assuming your VPCs are peered using VPC peering or transit gateway, you can whitelist ec2's security group in the security group that is attached to your rds instance.
So, you can add an inbound rule to rds's security group which will allow access on port 3306 (mysql) or 5432 (postgres) from security group id attached to ec2 instance.
marcincuber
- 3,451
- 1
- 17
- 29
-
thanks for the answer- the issue as far as I am aware is that this would potentially mean that other resources in the same subnet with more a lax security group could still be accessed. Unfortunately I have limited control over the VPC the database is sitting in and would therefore prefer a solution that forces the peer VPC to only be able to connect to a specific RDS instance only, if possible (if not, I will accept your answer) – mic Dec 09 '22 at 13:18
-
1Well, you need to connect the vpcs somehow so you achieve private connectivity between subnets. Your RDS sg will only allow a single security group to access it from a different vpc. With transit gateway you can have more granular control over which CIDRs allow what access. But it is rather expensive as you pay per vpc attachment and it gets more complicated with propagation rules etc. Regarding vpc management, if you don't control vpcs and some resources are more relaxed, just limit your resources as much as possible so you are not impacted by things you don't own. – marcincuber Dec 09 '22 at 13:23