- 최신
- 최다 투표
- 가장 많은 댓글
- Is it ok to create the database in default VPC instead of creating a new VPC?
Yes, there is no problem using the default VPC.
However, the default VPC has a route to the Internet gateway configured in the main route table, so the route table must be created as a private subnet.
- I want to access production database using dB client Squirrel, should I create RDS in public subnet. I am making sure no one has access to credentials even during and after deployment and followed AWS best practices for that but DB access will be public.
It is not recommended that RDS be configured for public access.
It is better to use private subnets instead of public subnets because of the risk of information leakage with the slightest misconfiguration, even if strictly configured with security groups and authentication.
When accessing RDS from outside AWS, it is recommended to use a stepping stone host or use port forwarding with SSM Session Manager.
The following documents may be helpful.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/infrastructure-security.html
- I d consider your custom vpc over default so as in my experience, it is better for production or environments where resources must be private
- I d still put db in private subnet, never in public one. To access it you can use SSM with a bastion host, or try out a recent ec2 connect endpoint feature which allows you to connect to rds withou the need of bastion host: https://www.doit.com/secured-access-to-private-rds-using-amazon-ec2-instance-connect-endpoint/
EDIT: ec2 connect endpoint unfortunately seems to support only ec2
I get the following error when trying to access RDS using Instance Connect Endpoint, is it really available?
I tried to connect to RDS MySQL on port 3306 using the following command, but it failed. Perhaps this was corrected some time ago.
You are right, I think something changed. EC2 Instance Connect now does not work "for any VPC resources". Now you can only connect to EC2 instances. When connecting, the --remote-port parameter is checked and if it is not 22 or 3389, an error is returned:
"The specified RemotePort is not valid. Specify either 22 or 3389 as the RemotePort and retry your request."
So SSM is still be the option to go