How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host?
Last updated: 2022-11-15
I want to connect to a private Amazon Relational Database Service (Amazon RDS) DB instance from a local machine. How can I do this using an Amazon Elastic Compute Cloud (Amazon EC2) instance as a bastion (jump) host?
To connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a jump server, follow these steps:
- Launch and configure your EC2 instance, and then configure the network setting of the instance.
- Configure the RDS DB instance's security groups.
- Connect to the RDS DB instance from your local machine.
Important: To connect to a private Amazon RDS or Amazon Aurora DB instance, it's a best practice to use a VPN or AWS Direct Connect. If you can't use these options, then use a bastion host. The following example configuration restricts access using security groups. However, you can restrict the network access control list (network ACL) of subnets to make the connection more secure. You can also restrict the route scope of your internet gateway to use a smaller range instead of 0.0.0.0/0. For example, add only the required CIDR range in the routing table for the destination when you add the internet gateway. For more information, see Example routing options.
The following example configuration is for an Amazon RDS for MySQL instance that is in an Amazon Virtual Private Cloud (Amazon VPC). The instance has security groups set up for an EC2 instance.
Launch and configure the EC2 instance
- Open the Amazon EC2 console, and then choose Launch instance.
- Select an Amazon Machine Image (AMI).
- Choose an instance type, and then choose Next: Configure Instance Details.
- For Network, choose the VPC that the RDS DB instance uses.
- For Subnet, select the subnet that has an internet gateway in its routing table. If you don't already have an internet gateway, then you can add it to the subnet after the EC2 instance is created.
- For Auto-assign public IP, make sure that Enable is selected.
- Choose Next: Add Storage, and then modify storage as needed.
- Choose Next: Add Tags, and then add tags as needed.
- Choose Next: Configure Security Group, choose Add Rule, and then enter the following:
Type: Enter "Custom TCP Rule".
Protocol: Enter "CP".
Port Range: Enter "22".
Source: Enter the IP address of your local machine. By default, the source IP address is open to all. But you can restrict access to your local public IP address.
- Choose Review and Launch.
- Choose Launch.
Configure the RDS DB instance's security groups
Note: To connect one or more EC2 instances to an RDS database automatically, see Automatically connect an EC2 instance to an RDS database.
- Open the Amazon RDS console, and then choose Databases from the navigation pane.
- Choose the name of the RDS DB instance. Or, create an RDS DB instance if you don't already have one.
- Choose the Connectivity & security tab.
- From the Security section, choose the link under VPC security groups.
- Select the security group, choose Actions, and then choose Edit inbound rules.
- Choose Add rule, and then enter the following:
Type: Enter "Custom TCP Rule".
Protocol: Enter "TCP".
Port Range: Enter the port of your RDS DB instance.
Source: Enter the private IP address of your EC2 instance.
- Choose Save.
This configuration for the security group allows traffic from the EC2 instance's private IP address. If the EC2 instance and the RDS DB instance use the same VPC, then you don't need to modify the RDS DB instance's route table. If the VPC is different, then create a VPC peering connection to allow connections between those VPCs.
Note: Be careful if you use a more scalable solution. For example, if you use the security group ID in a security group rule, then make sure that it doesn’t restrict access to a single instance. Instead, it should restrict to any resource that uses the specific security group ID.
Connect to the RDS DB instance from your local machine
Depending on the client that you use, the steps for connecting to the RDS DB instance vary. For more information, see Connecting to an Amazon RDS DB instance. If you use MySQL, it's a best practice to use SSL to encrypt the connection between the client application and Amazon RDS.
The following example uses the MySQL Workbench client to connect to the bastion host:
- Start a new connection, and select Standard TCP/IP over SSH for the Connection Method.
- Enter the following details about the EC2 instance for the SSH settings:
Note: An EC2 instance launched with a public IP address has a public DNS if the VPC where it was created has DNS Hostnames activated.
Auto-assign Public IP: Make sure that Enable is selected for the DNS Hostnames option.
SSH Hostname: Enter the public DNS name of the EC2 instance or its public IP address.
SSH Username: Enter the user name for your EC2 instance. For example, "ec2-user" is the user name for EC2 Linux machines.
SSH Key File: Select the private key that was used when the EC2 instance was created.
- Enter the following details for the MySQL instance settings:
MySQL Hostname: Enter the RDS DB instance endpoint.
MySQL Server port: Enter "3306" (or the custom port that you use).
Username: Enter the user name of the RDS DB instance.
Password: Enter the password of the RDS DB instance.
- Choose Test Connection.
- After the connection is successful, enter a connection name, and save the connection.
To connect from your local MySQL client to a private RDS instance using an SSH tunnel, see the following commands.
Linux or macOS:
Run the following commands:
ssh -N -L 3336:127.0.0.1:3306 [user]@[server_ip] mysql -u MYSQL_USER -p -h 127.0.0.1
Note: Replace user, server_ip, and mysql_user with your information.
ssh -i "<filename>.pem" <user_name>@<EC2_Endpoint> -L <Port_number>:<RDS_Endpoint>:<Port_number> -N
Note: Replace filename and username with your information. Replace EC2_Endpoint, port_number, RDS_Endpoint, and Port_number with the information for your RDS instance.