-3

I am hoping someone can clarify some network/security concerns about the following scenario:

I have a VPC that allows outbound connections to external internet resources, but is not supposed to allow inbound connections from any resources not within the VPC. Essentially all connections to VPC resources are through private IP addresses (or API gateway, tunnels, etc.).

I need to allow an external service to write data to into an RDS instance, and allow our internal resources to read that data. The external service is limited and we may only allow access via whitelisting certain IPs.

My initial thought was to create a publicly accessible RDS instance inside the VPC and attach a security group to the instance that whitelisted the required IPs. There is a concern that this exposes the entire VPC. It also causes issues with connecting through VPN as the public IP is not routed through point to point correctly (this cannot be fixed apparently), however I believe I can just use IAM authentication to get around this. Is the concern about exposing the entire VPC justified?

Alternatively, I believe we can create the RDS instance in another VPC and connect it to our main VPC via peer connections. I am not sure if this addresses the concerns, and it seems somewhat redundant.

I am hoping to get some suggestions on how to securely expose an RDS instance to specific IPs, while also allowing access from a multitude of AWS services in a secure way.

zemaj
  • 330
  • 1
  • 7
  • 1
    "My initial thought was to create a publicly accessible RDS instance inside the VPC and attach a security group to the instance that whitelisted the required IPs. There is a concern that this exposes the entire VPC ... Is the concern about exposing the entire VPC justified?" It would only "expose" the resources the security group is attached to. If you only attach it to the RDS instance, then that will be the only thing it exposes. – Mark B Aug 09 '23 at 15:57

1 Answers1

2

If the VPC has an Internet Gateway then the VPC is already "exposed" (whatever that means) -- but that's normal and fine.

Access from the Internet would only be possible to resources in the VPC that have a Public IP address and a Security Group configuration that permits the incoming connection, and it would only be to resources that are in a public subnet. So, it is incorrect to say that "this exposes the entire VPC".

Yes, the best option from a security perspective would be:

  • Launch an Amazon RDS database in a public subnet with Publicly Available = Yes
  • Add a Security Group to the database that only permits inbound connections from the IP address(es) of the external service

This database would be accessible from the external service and also from anything running in the same VPC. It does not 'expose' anything else.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470