In keeping with security best practices, databases should always remain private and isolated from the internet. However, for development purposes, accessing your database - such as an RDS instance - can be necessary. Connecting through a Bastion Host provides a secure way to establish this connection.
The tools required for this are:
- An AWS account.
- Powershell (or other command line shell)
- MySQL Workbench (or other visual database interaction software)
Create a VPC
Create a new VPC with both a private and public subnet and while in the VPC dashboard create 2 security groups:
- One for your EC2 instance: Allow inbound on port 80 (SSH) from your IP.
- One for your RDS instance: Allow 3306 (MySQL) from the EC2 security group. Go back into the EC2 group and allow outbound on 3306 to the RDS security group.
Create an EC2 instance
Free tier options are sufficient here.
- Make sure you create a new key pair if you dont already have one and download the .pem file.
- Place it in your public subnet, assign the security group you created earlier and ensure assign public ip is ticked.
- Take note of the DNS thats created.
Create a new RDS instance
- Place it in your private subnet and assign it the RDS security group you created earlier.
- Once created take note of the DB endpoint and the provided credentials (once shown you wont be able to view them again.
Connect to your Database
-
Open a new powershell and use the following command to create a port forwarding session, Replacing each value with your own. Once logged in keep this shell open.
ssh -i <path-to-your-key.pem> -L 3306:<rds-endpoint>:3306 <ec2-user@<ec2-public-dns>
Open MySQL Workbench and create a new connection. Enter localhost as the hostname and 3306 as the port. Enter the database credentials and click ok. Click on your newly created connection and you should be in.
By following these steps you have securely connected to your private RDS instance through a Bastion Host. This method keeps your database isolated from the internet, aligning with security best practices, while still providing the access needed for development purposes.