I am having EC2 instances in private subnet and its under NAT gateway and AWS RDS MySQL is public accessible. EC2 and RDS are in same VPC with same region.
I need to avoid AWS RDS on public accessible so created RDS using private subnet. If i created, I must able to connect with RDS on necessary time.
So, I have tried to do site to site VPN for this but my tunnelling is always down.
Please provide solution for my scenario and apart from that site to site VPN, if we have best solution for our scenario, you could suggest us.
Tried site to site VPN but tunnelling status is always DOWN.
Tried to add security group for RDS which is on private subnet, unable to connect that database with MySQL workbench on my local machine
Expecting better solution for my scenario. If site to site VPN is better solution means then need to know how to resolve tunnelling status to DOWN.
2
Answers
With VPN, you need to set up Client VPN endpoints, see here how to set up Client VPN endpoints . Keep in mind to assign the VPN connection to one of the private subnets and allow the traffic to the AWS RDS database in its security groups.
Do not forget to check the costs for Client VPN.
As an alternative, you can set up a bastion host in the private network with SSM to connect to your databases. See how to access a bastion host by using Session Manager and Amazon EC2 Instance Connect .
When setting up an EC2 instance as bastion host, you can use port forwarding to your RDS database. Example command you can use locally:
Please, replace <EC2-instance-ID>, <your-profile>, and optionally the ports (3306) accordingly.
Side note: you can start and stop your bastion host whenever you need it to save costs.
Check Security Groups: Ensure that the security groups associated with your EC2 instances and RDS instance allow inbound and outbound traffic on the necessary ports. For MySQL, the default port is usually 3306. Make sure your EC2 instances can communicate with the RDS instance on this port.
Check Route Tables: Confirm that the route tables associated with your private subnets are correctly configured to route traffic destined for the RDS instance’s IP address range to the NAT gateway.
Check NACLs: Network Access Control Lists (NACLs) provide an additional layer of security at the subnet level. Make sure that the NACLs associated with your private subnets allow inbound and outbound traffic on port 3306 (or the port your RDS instance is using for MySQL).
Check VPC Peering: If you have multiple VPCs and are using VPC peering to connect them, ensure that the peering connections are correctly configured and allow traffic between the VPCs.
VPN Connection: If you’re still considering using a VPN connection, double-check the configuration to ensure it matches the requirements of your VPC and the RDS instance. Make sure the VPN tunnel is correctly established, and the routing is configured to route traffic between the VPC and your on-premises network.
VPC Endpoints: Consider using VPC endpoints for services like S3 or DynamoDB if your EC2 instances need to access other AWS services. This can help improve security and performance by keeping traffic within the AWS network.
AWS Direct Connect: If your organization requires dedicated network connectivity between your on-premises environment and AWS, consider using AWS Direct Connect. This provides a private, dedicated connection from your data center to AWS, bypassing the public internet.