I have setup a VPC in aws with 2 public subnets and 2 private subnets with a NAT Gateway in the public subnets to allow the private subnets to access the internet. In my private subnets I’m hosting an RDS instance, however, I want to keep it in the private subnet but also be able to access it from my local network in case I have to inspect something on the DB itself. I read online that you can do this using a bastion jump server, but I was wondering is it not possible to setup routing for just a single or a few ip addresses to access this one specific resource ?
Question posted in Amazon Web Sevices
The official Amazon Web Services documentation can be found here.
The official Amazon Web Services documentation can be found here.
2
Answers
You can create a temporary network load balancer which will forward your connections to the database just for the time you need it and delete if afterwards. This would cost about $0.03/h of usage.
You can, for example, create a script to create this and then delete with a few aws cli commands and paste it to your CloudShell. Or, if you want to be enterprisy, a Terraform/OpenTofu or CloudFormation definition.
No, routing rules affect all traffic. They cannot be limited by IP address. (Not to be confused with Security Groups, that can limit access by IP address, but don’t control routing.)
You can either:
Publicly accessible = Yes
and secure it with a Security Group limited to certain IP addresses, orPublicly accessible = No
and use a Bastion / Jump box in the public subnet to give you access to the database (eg using SSH Port Forwarding).