By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

how to connect to private RDS from localhost

0

I have a private VPC with private subnets a private jumpbox in 1 private subnet and my private RDS aurora MySql serverless instance in another private subnet.

I did those commands on my local laptop to try to connect to my RDS via port forwarding:

aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["5901"],"localPortNumber"=["9000"] --profile myProfile

aws ssm start-session --target  i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["22"],"localPortNumber"=["9999"] --profile myProfile 

aws ssm start-session --target  i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["3306"],"localPortNumber"=["3306"] --profile myProfile

The connection to the server hangs.

I had this error on my local laptop:

Starting session with SessionId: myuser-09e5cd0206cc89542
Port 3306 opened for sessionId myuser-09e5cd0206cc89542.
Waiting for connections...

Connection accepted for session [myuser-09e5cd0206cc89542]

Connection to destination port failed, check SSM Agent logs.

and those errors in /var/log/amazon/ssm/errors.log:

2021-11-29 00:50:35 ERROR [handleServerConnections @ port_mux.go.278] [ssm-session-worker] [myuser-017cfa9edxxxx] [DataBackend] [pluginName=Port] Unable to dial connection to server: dial tcp :3306: connect: connection refused
2021-11-29 14:13:07 ERROR [transferDataToMgs @ port_mux.go.230] [ssm-session-worker] [myuser-09e5cdxxxxxx] [DataBackend] [pluginName=Port] Unable to read from connection: read unix @->/var/lib/amazon/ssm/session/3366606757_mux.sock: use of closed network connection

and I try to connect to RDS like this :

enter image description here

I even tried to put the RDS Endpoint using ssh Tunnel, but it doesn't work:

enter image description here

Are there any additional steps to do on the remote server ec2-instance?

It seems the connection is accepted but the connection to the destination port doesn't work.

or is there any best other way to connect to private rds in private vpc when de don't have site-to site-vpn or Direct connect ?

Topics
ServerlessNetworking & Content DeliveryMigration & ModernizationAnalyticsDatabaseManagement & Governance
Tags
ServerlessAmazon VPCAmazon Relational Database ServiceAWS Systems Manager
Language
English
AWS-User-1737129
asked 2 years ago1855 views
6 Answers
1

Have you tried Query Editor or Data API? They are easy ways to access Aurora Serverless.

Query Editor

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/query-editor.html

Data API

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html

YM
answered 2 years ago
  • AWS-User-1737129
    2 years ago

    Thank you for your reply, with DATA API I can connect my NodeJs/NestJs application to my private RDS DB at the moment of application launch?

1

connection refused usually means that there is some network connectivity issue. Can you check your Security Groups on RDS?

Following link shows the steps that you would need:

https://aws.amazon.com/premiumsupport/knowledge-center/rds-connect-ec2-bastion-host/

AWS
Muhammad Mansoor
answered 2 years ago
1

Assuming that you want to connect to private RDS end-point from the Internet

  1. Set up bastion host in public subnet in your VPC along with Internet Gateway. Make sure you are able to log into bastion host with SSH keys.
  2. Set up SSH tunnel using RDS end-point as host followed by : and port number. Open the SSH session on bastion host along with tunnel setting.
  3. You should be able to connect to RDS end-point from tool running on your machine over the internet. Hope this helps.
AWS
SV
answered 2 years ago
  • Jess
    2 years ago

    Thank you @Sahin_v, but as mentioned My VPC is private only VPC with private SNs, and I don't have to change that requirement. i am able to connect to my private bastion host in private SN via SSM port forwarding, but from there to RDS port it hangs

1

You indicated this is a private VPC. Is there a route to the internet via an on-prem connection or have you added an endpoint for SSM? If not, then the SSMAgent in the instance has no route to connect to the SSM Service. The SSMAgent originates the connectivity outbound. If this sounds like your situation take a look at Step 6: (Optional) Create a Virtual Private Cloud endpoint (https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html)

AWS
Scott_K
answered 2 years ago
  • Jess
    2 years ago

    it's a private VPC linked with another Public VPC with a TGW, but mine is a private VPC and should stay private VPC

1

You should make a tunnel using the bastion host that can be connected with session manager.

Please check the following link:

https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/

AWS
Junseong_J
answered 2 years ago
1

These are external links and I haven't verified their steps, but I think this could help you. https://www.element7.io/2021/01/aws-ssm-session-manager-port-forwarding-to-rds-without-ssh/ https://www.linkedin.com/pulse/remote-port-forwarding-using-aws-ssm-session-manager-jaros%C5%82aw-grz%C4%85bel/?articleId=6704645407001120768 https://www.reddit.com/r/aws/comments/gh8cde/ssm_session_manager_portforwarding_to_rds_wout_ssh/

You need a few extra configuration steps on the bastion host to be able to port forward to a destination outside of the instance.

AWS
mike
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content