skip to Main Content

I have setup a VPC in aws with 2 public subnets and 2 private subnets with a NAT Gateway in the public subnets to allow the private subnets to access the internet. In my private subnets I’m hosting an RDS instance, however, I want to keep it in the private subnet but also be able to access it from my local network in case I have to inspect something on the DB itself. I read online that you can do this using a bastion jump server, but I was wondering is it not possible to setup routing for just a single or a few ip addresses to access this one specific resource ?

2

Answers


  1. You can create a temporary network load balancer which will forward your connections to the database just for the time you need it and delete if afterwards. This would cost about $0.03/h of usage.

    You can, for example, create a script to create this and then delete with a few aws cli commands and paste it to your CloudShell. Or, if you want to be enterprisy, a Terraform/OpenTofu or CloudFormation definition.

    Login or Signup to reply.
  2. No, routing rules affect all traffic. They cannot be limited by IP address. (Not to be confused with Security Groups, that can limit access by IP address, but don’t control routing.)

    You can either:

    • Put the database in a public subnet with Publicly accessible = Yes and secure it with a Security Group limited to certain IP addresses, or
    • Put the database in a private subnet with Publicly accessible = No and use a Bastion / Jump box in the public subnet to give you access to the database (eg using SSH Port Forwarding).
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search