- Newest
- Most votes
- Most comments
Hello.
Is RDS launched in a public subnet and has public access enabled?
If public access is enabled, you can check the global IP address by resolving the name of the RDS endpoint.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding
As an aside, it is not good security to place RDS directly in a public subnet.
Therefore, we recommend accessing using Session Manager's port forwarding function, etc., as shown in the document below.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/
To answer your last point first, new security groups won't interfere like you suggest, i.e. they won't close a port that was previously open (it's the other way round - the only change they can make is to open a port that was previously closed).
@Riku's point about not having the RDS database in a publiuc subnet is very good advice. The RDS instance wil be running in a subnet group, and if it needs to be accessible from the internet then every subnet that makes up that subnet group must have a route to the internet gateway in its routing table https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html#route-tables-internet-gateway
It may be useful here to use Reachability Analyser https://docs.aws.amazon.com/vpc/latest/reachability/getting-started.html
Be aware that this isn't free, it's about 10c per use -see the Network Analysis tab of https://aws.amazon.com/vpc/pricing/
Relevant content
- asked a year ago
- asked 4 months ago
- asked a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago