-1

Metabase - IP addresses to whitelist

There are some Amazon RDS databases that are in private subnet of my VPC.

I want to connect to them through Metabase. I tried to add these IPs in the Security Group associated to the RDS instances. However, I was not able to connect.

If these Metabase IPs are directly added to my VPC, can the database be accessed? If yes then how?

I came accross SSH tunneling in metabase. [https://www.metabase.com/docs/v0.46/databases/ssh-tunnel.html][1]

If I create a EC2 instance in public subnet and use this method will I be able to access the RDS DB.

Logan
  • 11
  • 3
  • Are the RDS instances in a **public subnet**? Have they been configured as **Publicly Accessible**? Can you connect to them from your own computer? If the answer is YES to all these questions, then it sounds like the Security Group is incorrectly configured. Please edit your question and show us the Security Group configuration. – John Rotenstein Jul 24 '23 at 05:15
  • No,RDS are in private subnet,and in security group of that RDS only vpn and public subnet are there.I can connect to computer with vpn only. – Logan Jul 24 '23 at 05:43
  • Ah! You didn't mention the VPN in your question. It is unlikely that you will be able to configure Metabase to connect via a VPN. To use an SSH Tunnel, you would need to launch an Amazon EC2 instance in a public subnet and configure it as a 'Jump Box' to allow Metabase to tunnel through it to the database. – John Rotenstein Jul 24 '23 at 05:57
  • Yeah,Firstly I was using Metabase as a docker version in ec2 which was able to connect to RDS without VPN. And in local, I required VPN. But I have the cloud access of metabase now. If I use a jumpbox kind a thing will a free tire EC2 would work? Would it scale for multiple users and a large database? – Logan Jul 24 '23 at 06:31
  • The AWS Free Tier offers a t2.micro/t3.micro for the first year of your AWS Account, so best not to think of it as being 'free' long-term. Queries that attempt to retrieve the entire contents of a table should be slow, but most queries would just be returning a relatively small set of data so it should work fine. The bigger problem will be the latency between a cloud-based Metabase and your database. If Metabase Cloud is running your AWS in the same region, then this will be negligible. – John Rotenstein Jul 24 '23 at 06:43
  • Is there any other way to whitelist those metabase ip in my VPC itself so that my RDS in private subnet can be accessed? – Logan Jul 24 '23 at 07:24

1 Answers1

0

Your Amazon RDS database is inside a private subnet. This means it cannot be directly accessed from the Internet. This is a benefit of using a private subnet -- it is secure from Internet access. However, this means that it is also harder for you to access from the Internet.

To connect to the RDS database from the Internet, you need to establish a connection to the VPC and then 'hop' to the database. Some options are:

  • A VPN connection to the VPC, or
  • An Amazon EC2 instance in a public subnet in the VPC, which you can use to create an SSH Tunnel (also known as a Jump Box)

The concept of 'whitelisting' allows you to specify a limited set of IP addresses to reduce access even further. For example, you might add a whitelist to the EC2 instance to limit the range of IP addresses that are allowed to establish an inbound connection. However, merely "adding a whitelist" would not grant access to the VPC without a VPN or SSH Tunnel.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470