0

I am trying to connect to my AWS RDS Mariadb instance that I am hosting on us-east/ohio from my local machine. I am trying to avoid making the instance publicly available but I am struggling to get this connection to work. Right now I am trying to connect from my local machine but eventually, I hope to host a nodejs server to talk to it on a static ip.

The setup I have now is the following:

  1. A single VPC that my RDS is connected to which includes a CIDR that contains my public ip x.y.z.0/24
  2. A route table which includes my public ip to connect to local
  3. Network ACL inbound and outbound rule number 1 is to allow All TCP from 0.0.0.0/0
  4. The Default security group which also allows all inbound and outbound traffic
  5. A VPC endpoint attached to the RDS service

With all of this set up I figured it should allow anyone that has the DNS name of my VPC endpoint to talk to my RDS instance but I can not get a connection to my instance. I have used every DNS name associated with my endpoint and every single one of them times out when I try to sign into the database. I have been fumbling with this for days and would like to get past this point of initial setup.

Things possibly to note:

  • The Network ACL comes with a default rule of "*" deny all traffic. I do not know what order that rule is evaluated. I chose 1 for my rule of allowing all but I have also tried rule 100. Neither seems to work.
  • I know my RDS instance is on us-east-2a and I have made sure to add the us-east-2a subnet to my VPC endpoint. Using the DNS name that includes that at one point was giving me network unreachable for a little bit before I realized the subnet ID I chose was not the default which just gave me a timeout again.
  • I am trying to use DBeaver to connect to the VPC endpoint but I have also used the console command mysql -h vpce-<random characters>-<VPC ID>-us-east-2a.rsa.us-east-2.vpce.amazonaws.com -u admin -p and gotten the same timeout
Matt Braniff
  • 45
  • 6
  • Does your RDS instance have a public IP allocated? – apokryfos Jan 15 '23 at 06:33
  • No, I am keeping the RDS instance purely on the VPC. My thought was the VPC endpoint could be my connection to it. – Matt Braniff Jan 15 '23 at 06:37
  • Have you attached an Internet gateway to your VPC? – Marko Eskola Jan 15 '23 at 06:37
  • There is a default internet gateway that is already attached I believe – Matt Braniff Jan 15 '23 at 06:42
  • Your local machine is outside the VPC won't be able to connect to your RDS instance in this case. You'd need something like an SSH tunnel though a jump box/bastion box or other resource you can connect to from your local machine that is on the same VPC. – apokryfos Jan 15 '23 at 06:42
  • @apokryfos not even with the VPC endpoint? – Matt Braniff Jan 15 '23 at 06:42
  • 2
    VPC endpoint from what I understand is to connect VPC services to each other, though Amazon keeps adding features so I may not know all of the features – apokryfos Jan 15 '23 at 06:43
  • @apokryfos If that is the case then I might be better off just making the database publicly accessible. Even then I can still apply security groups to it to only allow my select ips to connect to it right? I don't want to do the SSH jump because I have a setup on Nodejs that lets me connect directly to a database and build parameterized queries from there. Having to manually execute things through ssh sounds awful to me. – Matt Braniff Jan 15 '23 at 06:49
  • 1
    Well it is certainly easier to assign it a public IP and control access through security groups. Allow access to your own IP and when/if that changes you can update the security group. You can also consider using a local database installation for local development and only use RDS for apps that are hosted on AWS (e.g. beta and production environments) – apokryfos Jan 15 '23 at 06:53
  • 1
    None of the things you are trying (matching your VPC CIDR to your local IP, creating a VPC endpoint, etc.) are going to work. You are trying to make your database directly accessible from the Internet and the only way to do that is to actually enable the publicly accessible feature in RDS to give it a public IP address. If you are worried about the security aspect of this, just make sure you assign a security group to the RDS instance that only allows your home computer's public IP address. By all means **do not use the default security group!** – Mark B Jan 15 '23 at 13:32
  • Better way would be to create a bastion host in the VPC and then do SSH tunneling to forward the port of the mariaDB – Vikram S Jan 15 '23 at 14:52

0 Answers0