Connect a Private RDS using EC2 as Bastion Host

In this article, we’ll discuss how to connect a private RDS using ec2 as bastion host.

To connect a private RDS or Aurora DB instance, there are other methods also — using VPN or AWS Direct Connect which is considered to be the best practice. But if you don’t want to use VPN or Direct Connect, then the EC2 bastion host method is one of the solutions for you.

Without further ado, let’s dive into it —

Bastion Host

A special-purpose computer on a network specifically designed and configured to withstand attacks. This computer generally hosts a single application or process.

Wikipedia.

Note: You need to ensure that the EC2 instance is in the same VPC as the RDS database, otherwise, it will not be possible to connect to each other.

For this bastion host, you can set up a new small EC2 instance or you may use the one that already exists in the same VPC as the RDS instance is.

Prerequisites

• AWS console access
• Private RDS (Publicly accessible turned off) or Aurora DB set up already
• A private key file of the bastion host
• Database Client of your DB type (e.g. MYSQL Workbench)

How to connect a private RDS using EC2 as bastion host

Step-1: Launch and configure the EC2 instance

First, log in to AWS console and follow the steps:

• Go to AWS EC2 Dashboard, and click on Launch instances.
• Give instance Name tag. Search and Select your desired AMI. (For e.g. Amazon Linux 2 AMI, ubuntu, etc.)
• Choose instance type (For e.g., t2.micro)
• On Key pair (login) section, click on create new key pair. (or you may select the one that you already have)
• In Network settings section, click on edit button. Select the VPC in which RDS is running.
• Choose subnets(leaving as it is, uses all subnets).
• Now, you can either create a new security group or use existing one. Configure following if you create a new one: (You can modify inbound, and outbound rules later also.)
  • Type: ssh
  • Protocol: TCP
  • Port Range: 22
  • Source: Enter IP of your local machine (leaving default enables open to all IP addresses)

• Click on Launch instance.

Wait until the instance is in a running state.

You have successfully configured EC2 instance to use it as a bastion host for RDS connectivity.

Step-2: Configure RDS instance’s security groups

• Go to AWS RDS Console and choose the Databases from the sidebar.
• Click on the RDS database name. Click on Connectivity & Security tab. You’ll see similar like this:

• From Security section, in VPC security groups click on security group name. You’ll be redirected to the security group.
• Edit the inbound rules of the security group as the following — by clicking on Edit inbound rules.
  • Type: Custom TCP Rule
  • Protocol: TCP
  • Port Range: Enter the port of the RDS DB instance
  • Source: Enter the private IP address of EC2 instance (bastion host)

• Click on Save rules.

Points to Remember

• For the security groups, the Bastion server should be configured to only allow ssh traffic from a known host(s) which is your local machine. And also note that it is not necessary to allow network traffic into the bastion host on the database port (3306). The only access you need from the global internet is via port 22 (ssh port).
• The security group for the RDS instance should be configured to allow traffic from within the VPC which enables access from the EC2 instance (Bastion host).

Step-3: Connect to the RDS instance from local machine

Connect Using DB Workbench Client

For this connection, the process may vary depending upon your DB type. For MySQL, you can download the MYSQL Workbench client to connect to the bastion host.

• Open MYSQL Workbench and start a new connection.
• Select Connection Method as Standard TCP/IP over SSH.
• Now, configure as the following:
  • SSH Hostname: <EC2 instance public DNS or IP >
  • SSH Username: <user name of EC2 instance. e.g. ubuntu for ubuntu machine, ec2-user for Linux machines>
  • SSH Key File: Private key of EC2 instance (Created when instance was created)
  • MySQL Hostname: <RDS DB instance endpoint>
  • MYSQL Server Port: Default is 3306 (you can use custom port)
  • Username: <Master username of RDS DB instance>
  • Password: <Master password of RDS DB instance>

• Click on Test connection to test the connection.
• If the connection is successful, enter connection name and save the connection.

That’s it!!

Connect using SSH tunneling

An ssh tunnel is basically a way of routing network traffic from one place to another via an ssh host. In our case, we are routing traffic from our local machine to a RDS instance via a Bastion host.

So, you can use the following command to connect from the local machine:

$ ssh -i <ec2-instance-key-file> <ec2_instance_user>@<ec2_host>  -N -f -L <local_port>:<RDS_endpoint>:<rds_port>

$ ssh -i "~/.ssh/example_key.pem" ec2-user@xxxxxxxxxxx.compute.amazonaws.com -N -f -L 3333:xxxxxxxxx.rds.amazonaws.com:3306

Here, I used local port 3333 for tunneling via basion host to RDS instance.

Now, you can connect to RDS using RDS DB username and password:

$ mysqls  -u user_name -h 127.0.0.1

OR, you can connect using the MYSQL Workbench client with Standard (TCP/IP) method. Enter hostname as localhost or 127.0.0.1 and port as you used when tunneling.

Enter Username as your RDS DB master username and Password as master password. Then test the connection. It should work!!

That’s it… you did it :-))

Conclusion

In this, you’ve learned to connect a private RDS using EC2 as bastion host with the help of MYSQL Workbench and SSH Tunnelling command. This allows you to connect to a RDS instance without having to expose the RDS instance directly to the internet.

Also, check out my article on Install MongoDB on EC2 Instance – Solved Connection Issue From Public DNS

Thank YOU!