Accessing an RDS db instance from a Bastion server inside a VPC

In this post I would like to discuss how to access an RDS instance that is located for security reasons inside the private subnet of a VPC.

When planning and deploying a VPC it is best practice to keep db instances out of reach and hidden deep inside a private subnet. The instances will not be publicly accessible but at the same time [only] you have to be able to have access to them.

The way to connect to them is via an EC2 instance that will also be located inside the same VPC but in a public subnet. The best practice is to use the same EC2 instance that you use to access all the other instances in your VPC, the Bastion host.

So, I suppose you have a private security group [PrivateSG] that controls the access to the private subnet and a specific one [BastionSG] for the bastion host. At first you must configure the PrivateSG [that the RDS instances have attached] to accept incoming traffic at port 3306 from the BastionSG. Then the BastionSG must have an outbound rule that routes traffic to the PrivateSG and an inbound rule that allows traffic from your specific [home/office etc] IPs. All on port 3306 , for MySQL/Aurora.

Now that the traffic is unblocked to flow to the RDS instances you can connect to one of them using a SQL management tool like SQLYog.

At first , you must set the SSH connection to the Bastion host.

Next , you must set up the connection to the RDS instance.

Test the connection , and you are good to go!

You can always read more at the AWS documentation here and here.

Note: If you are trying to decypher the connection of the picture with a post, that is what a real [!] bastion looks like ;] !