How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host?

To connect to a private RDS DB instance from a local machine using an EC2 instance as a jump server, follow these steps:

1. Launch and configure your EC2 instance and configure the network setting of the instance.
2. Configure the RDS DB instance's security groups.
3. Connect to the RDS DB instance from your local machine.

Important: To connect to a private Amazon RDS or Amazon Aurora DB instance, it's best to use VPN or AWS Direct Connect. If you can't use VPN or Direct Connect, then use a bastion host. The following example configuration restricts access using security groups, but you can also restrict the network access control list (network ACL) of subnets to make the connection more secure. You can also restrict the route scope of internet gateway to use a smaller range instead of 0.0.0.0/0. For example, you can add only the required CIDR range in the routing table for the destination when you add the internet gateway. For more information, see Example routing options.

The following example configuration is for an RDS MySQL DB instance that is in an Amazon Virtual Private Cloud (Amazon VPC) and has security groups set up for an EC2 instance.

1. Open the Amazon EC2 console, and choose Launch instance.
2. Select an Amazon Machine Image (AMI).
3. Choose an instance type, and then choose Next: Configure Instance Details.
4. For Network, choose the VPC that the RDS DB instance uses.
5. For Subnet, select the subnet that has an internet gateway in its routing table. If you don't already have an internet gateway, you can add it to the subnet after the EC2 instance is created.
6. Choose Next: Add Storage, and modify storage as needed.
7. Choose Next: Add Tags, and add tags as needed.
8. Choose Next: Configure Security Group, choose Add Rule, and enter the following:
   Type: Custom TCP Rule
   Protocol: TCP
   Port Range: 22
   Source: Enter the IP address of your local machine. By default, the source IP address is open to all. But you can restrict access to your local public IP address only.
9. Choose Review and Launch.
10. Choose Launch.

1. Open the Amazon RDS console, and choose Databases from the navigation pane.
2. Choose the name of the RDS DB instance. Or create an RDS DB instance, if you don't already have one.
3. Choose the Connectivity & security tab.
4. From the Security section, choose the link under VPC security groups.
5. Select the security group, choose Actions, and choose Edit inbound rules.
6. Choose Add rule and enter the following:
   Type: Custom TCP Rule
   Protocol: TCP
   Port Range: Enter the port of your RDS DB instance
   Source: Enter the private IP address of your EC2 instance
7. Choose Save.

This configuration for the security group allows traffic from the EC2 instance's private IP address. If the EC2 instance and the RDS DB instance use the same VPC, then you don't need to modify the route table that is used by the RDS DB instance. If the VPC is different, then create a VPC peering connection to allow connections between those VPCs.

Depending on the client that you use, the steps for connecting to the RDS DB instance vary. For more information, see Connecting to an Amazon RDS DB Instance. If you use MySQL, it's a best practice to use SSL to encrypt the connection between the client application and Amazon RDS.

The following example uses the MySQL Workbench client to connect to the bastion host:

1. Start a new connection, and select Standard TCP/IP over SSH for the Connection Method.
2. Enter the following details about the EC2 instance for the SSH settings:
   SSH Hostname: Enter the public DNS name of the EC2 instance.
   SSH Username: Enter the user name for your EC2 instance. For example, "ec2-user" is the user name for EC2 Linux machines.
   SSH Key File: Select the private key that was used when the EC2 instance was created.
3. Enter the following details for the MySQL instance settings:
   MySQL Hostname: Enter the RDS DB instance endpoint
   MySQL Server port: Enter 3306 (or the custom port that you use).
   Username: Enter the master user name of the RDS DB instance.
   Password: Enter the master password of the RDS DB instance.
4. Choose Test Connection.
5. After the connection is successful, enter a connection name, and save the connection.