RDS configuration

0

Hi,

I am preparing to deploy an application in flask using Elasticbean stalk. I have 2 questions for provisioning database which I will create separately and give access to the application.

  1. Is it ok to create the database in default VPC instead of creating a new VPC?
  2. I want to access production database using dB client Squirrel, should I create RDS in public subnet. I am making sure no one has access to credentials even during and after deployment and followed AWS best practices for that but DB access will be public.
2 Answers
1
Accepted Answer
  1. Is it ok to create the database in default VPC instead of creating a new VPC?

Yes, there is no problem using the default VPC.
However, the default VPC has a route to the Internet gateway configured in the main route table, so the route table must be created as a private subnet.

  1. I want to access production database using dB client Squirrel, should I create RDS in public subnet. I am making sure no one has access to credentials even during and after deployment and followed AWS best practices for that but DB access will be public.

It is not recommended that RDS be configured for public access.
It is better to use private subnets instead of public subnets because of the risk of information leakage with the slightest misconfiguration, even if strictly configured with security groups and authentication.
When accessing RDS from outside AWS, it is recommended to use a stepping stone host or use port forwarding with SSM Session Manager.
The following documents may be helpful.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/ https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/infrastructure-security.html

profile picture
EXPERT
answered a year ago
profile picture
EXPERT
reviewed 3 months ago
1
  1. I d consider your custom vpc over default so as in my experience, it is better for production or environments where resources must be private
  2. I d still put db in private subnet, never in public one. To access it you can use SSM with a bastion host, or try out a recent ec2 connect endpoint feature which allows you to connect to rds withou the need of bastion host: https://www.doit.com/secured-access-to-private-rds-using-amazon-ec2-instance-connect-endpoint/

EDIT: ec2 connect endpoint unfortunately seems to support only ec2

profile picture
EXPERT
answered a year ago
  • I get the following error when trying to access RDS using Instance Connect Endpoint, is it really available?

    awscli.customizations.ec2instanceconnect.websocket - ERROR - {"ErrorCode":"InvalidParameter","Message":"The specified RemotePort is not valid. Specify either 22 or 3389 as the RemotePort and retry your request."}
    

    I tried to connect to RDS MySQL on port 3306 using the following command, but it failed. Perhaps this was corrected some time ago.

    aws ec2-instance-connect open-tunnel --instance-connect-endpoint-id ${EC2 Instance Connect Endpoint ID} --private-ip-address ${RDS Private IP} --local-port 3306 --remote-port 3306
    
  • You are right, I think something changed. EC2 Instance Connect now does not work "for any VPC resources".  Now you can only connect to EC2 instances. When connecting, the --remote-port parameter is checked and if it is not 22 or 3389, an error is returned:

    "The specified RemotePort is not valid. Specify either 22 or 3389 as the RemotePort and retry your request."

    So SSM is still be the option to go

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions