To connect to an AWS RDS or DB instance, it’s a best practice to use VPN or AWS Direct Connect. If you can’t use VPN or Direct Connect, then use a bastion host. you can also restrict the network access control list (network ACL) of subnets to make the connection more secure. You can also restrict the route scope of the internet gateway to use a smaller range instead of 0.0.0.0/0. You can add only the required CIDR range in the routing table for the destination when you add the internet gateway.
Launch and configure the EC2 instance
- Open the Amazon EC2 console, and choose Launch instance.
- Select an Amazon Machine Image (AMI).
- Choose an instance type, and then choose Next: Configure Instance Details.
- For Network, choose the VPC that the RDS DB instance uses.
- For Subnet, select the subnet that has an internet gateway in its routing table. If you don’t already have an internet gateway, you can add it to the subnet after the EC2 instance is created.
- Choose Next: Add Storage, and modify storage as needed.
- Add Tags, and add tags as needed.
- Choose Next: Configure Security Group, choose Add Rule and enter the following:
Type: Custom TCP Rule
Port Range: 22
- Source: Enter the IP address of your local machine. By default, the source IP address is open to all. But you can restrict access to your local public IP address only.
- Choose Review and Launch.
- Choose Launch.
Configure the RDS DB instance’s security groups
- Open the Amazon RDS console, and choose Databases from the navigation pane.
- Choose the name of the RDS DB instance. Or create an RDS DB instance, if you don’t already have one.
- Choose the Connectivity & security tab.
- The security tab has the same security that is used in EC2 instances like the availability zone has the same in both rds and ec2 instances, an inbound rule, security group and used the same VPC in both.
- From the Security section, choose the link under VPC security groups.
- Select the security group, choose Actions, and choose Edit inbound rules.
- Choose Add rule and enter the following:
Type: Custom TCP Rule
Port Range: Enter the port of your RDS DB instance
Source: Enter the private IP address of your EC2 instance
- Choose Save.
This configuration for the security group allows traffic from the EC2 instance’s private IP address. If the EC2 instance and the RDS DB instance use the same VPC, then you don’t need to modify the RDS DB instance’s route table.
Connect to the RDS DB instance from your local machine
Depending on the client that you use, the steps for connecting to the RDS DB instance vary. For more information, see Connecting to an Amazon RDS DB instance. If you use MySQL, it’s a best practice to use SSL to encrypt the connection between the client application and Amazon RDS.
The following example uses the MySQL Workbench client to connect to the bastion host:
- Start a new connection, and select Standard TCP/IP over SSH for the Connection Method.
- Enter the following details about the EC2 instance for the SSH settings:
SSH Hostname: Enter the public DNS name of the EC2 instance.
SSH Username: Enter the user name for your EC2 instance. For example, “ec2-user” is the user name for EC2 Linux machines.
SSH Key File: Select the private key that was used when the EC2 instance was created.
- Enter the following details for the MySQL instance settings:
MySQL Hostname: Enter the RDS DB instance endpoint.
MySQL Server Port: Enter 3306 (or the custom port that you use).
Username: Enter the master user name of the RDS DB instance.
Password: Enter the master password of the RDS DB instance.
- Choose Test Connection.
- After the connection is successful, enter a connection name, and save the connection.
After the set-up, connection select the Test connection