Accessing a RDS database in another account using AWS PrivateLink
A customer wants to access a DB Instance in a VPC from an EC2 Instance in a different VPC. They are currently using VPC Peering for this as documented here: USER_VPC.Scenarios
They would like to know if they could instead use a VPC endpoint as documented here: endpoint-service
Is it possible to make the RDS database available in the other VPC using a NLB and a PrivateLink? What would be the impacts? The limits?
- 최신
- 최다 투표
- 가장 많은 댓글
It would work BUT maybe not the best way to go (because of following drawbacks):
-
You can setup Private Links currently only with NLB and NLB only supports IPs or instances as targets.
-
But as RDS only provides DNS endpoints you can not connect a NLB directly with RDS (of course you could get the IP of the RDS endpoint but as the IP may change at any time you should NOT consider this option unless you are Ok manually updating it or want to build auotmation to do so)
Possible workaround: put a proxy behind the NLB and let the proxy forward connection to RDS endpoint FQDN.
Additional comment: NLB does continuously health checks towards the targets, this will result in a blocked IP of the NLB (and so the whole Endpoint/Private Link) inside Mysql depending on the configuration of max_connect_errors.
