How do I use an Amazon EC2 instance as a bastion host to connect to a private Amazon RDS DB instance from a local machine?

6 minute read

I want to use an Amazon Elastic Compute Cloud (Amazon EC2) instance as a bastion (jump) host to connect to a private Amazon Relational Database Service (Amazon RDS) DB instance from a local machine.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To connect to a private Amazon RDS or Amazon Aurora DB instance, it's a best practice to use a VPN or AWS Direct Connect. If you can't use either option, then use a bastion host.

The following example configuration is for an Amazon RDS for MySQL instance that's in an Amazon Virtual Private Cloud (Amazon VPC). The example uses security groups to restrict access. However, you can restrict the network access control list (network ACL) of subnets to make the connection more secure.

Launch and configure the EC2 instance

Complete the following steps:

Open the Amazon EC2 console, and then choose Launch instance.
Select an Amazon Machine Image (AMI).
Choose an instance type, and then choose Next: Configure Instance Details.
For Network, choose the VPC that the Amazon RDS DB instance uses.
For Subnet, select the private subnet in the VPC
Choose Next: Add Storage, and then modify the storage as needed.
Choose Next: Add Tags, and then add tags as needed.
Choose Next: Configure Security Group.
Choose Add Rule, and then enter the following:
For Type, enter Custom TCP Rule
For Protocol, enter TCP
For Port Range, enter 22
For Source, enter the security group used by your Amazon EC2 connect endpoint.
Choose Review and Launch, and then choose Launch.

Configure the Amazon RDS DB instance's security groups

Note: To connect one or more EC2 instances to an Amazon RDS database automatically, see Automatically connect an instance to an RDS database using the RDS console.

Complete the following steps:

Open the Amazon RDS console.
In the navigation pane, choose Databases.
Choose the name of the Amazon RDS DB instance. If you don't already have one, then create an RDS DB instance.
Choose Connectivity & security.
From the Security section, choose the link under VPC security groups.
Select the security group, choose Actions, and then choose Edit inbound rules.
Choose Add rule, and then enter the following:
For Type, enter Custom TCP Rule
For Protocol, enter TCP
For Port Range, enter the port of your Amazon RDS DB instance.
For Source, enter the private IP address of your EC2 instance.
Choose Save.

This configuration for the security group allows traffic from the EC2 instance's private IP address. If the EC2 instance and the Amazon RDS DB instance use the same VPC, then you don't need to modify the Amazon RDS DB instance's route table. If the VPC is different, then create a VPC peering connection to allow connections between those VPCs.

Note: If you use a more scalable solution, then review your configuration. For example, if you use the security group ID in a security group rule, then make sure that it doesn't restrict access to one instance. Instead, configure the rule to restrict access to any resource that uses the specific security group ID.

Create an EC2 instance connect endpoint

Open the Amazon VPC console.
In the navigation pane, choose Endpoints.
Choose Create endpoint, and then specify the endpoint settings.
(Optional) For Name tag, enter a name for the endpoint.
For Service category, choose EC2 Instance Connect Endpoint.
For VPC, select the VPC that has the target instances.
(Optional) To preserve client IP addresses, expand Additional settings and select the check box. Otherwise, the default is to use the endpoint network interface as the client IP address.
For Security groups, select the security group you want to associate with the endpoint. Otherwise, the default is to use the default security group for the VPC.
For Subnet, select the subnet in which to create the endpoint.
(Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.
Review your settings and then choose Create endpoint.
The initial status of the endpoint is Pending. To connect to an instance, you must wait until the endpoint status is Available. This can take up to a few minutes.

Connect to the RDS DB instance from your local machine

Note: You must have access to the AWS CLI.

To connect from your local MySQL client to a private RDS instance through an SSH tunnel, complete the following steps:
Linux or macOS

Run the following command to open a tunnel from local machine to the EC2 instance:

aws ec2-instance-connect open-tunnel --instance-id ec2-instance-ID --local-port 8888

Note: Replace ec2-instance-ID with your EC2 instance ID.

Open a second connection and run the following command to create an SSH tunnel from your local host to your RDS DB through an EC2 instance:
```
ssh -i YOUR_EC2_KEY EC2_USER@EC2_HOST -p EC2_TUNNEL_PORT -L LOCAL_PORT:RDS_ENDPOINT:REMOTE_PORT -N -f
```
Note: Replace the following values:
YOUR_EC2_KEY with the path to your EC2 private key file
EC2_USER with your EC2 instance username
EC2_HOST with the hostname of your EC2 instance
EC2_TUNNEL_PORT with the port you configured
LOCAL_PORT with an unused port on your local machine
RDS_ENDPOINT with the endpoint of your RDS instance
REMOTE_PORT with the port that your Amazon RDS DB uses in the RDS instance.
Use a third connection and run the following command to connect to your Amazon RDS instance from your local machine:
```
mysql -h 127.0.0.1 -P LOCAL_PORT -u RDS_USER -p
```
Note: Replace the following values:
LOCAL_PORT with the number of your local port
DB_USER with your RDS DB username
DB password with the Amazon RDS DB password