As far I have seen, the most secure way to access RDS is if your service (accessing the RDS database) is also running on AWS.
Another option is to control access with security by whitelisting the IP of services. However, services running on infrastructure like Heroku do not provide static IP (as far as I have seen) only IP ranges.
My situation is that I have a API service in Heroku that I would like to have access AWS RDS database. What is the best and most secure way to grant access to access the RDS database from Heroku (or another external service) since Heroku does not have static IP assigned to apps.
Here are solutions that I would not like to consider.
- Create a security group assigned to the RDS instance that allow all connections (0.0.0.0/0) then secure RDS with a password
- Move my API service into AWS
2
Answers
I’ll recommend considering the use of QuotaGuard static IP addresses for Heroku.
I’ll use this plugin to make sure that all outbound traffic from my compute layer uses the static IP that could then be whitelisted against the security group of your RDS.
A more secure option that you may consider is setting up a private network space peering between your Heroku private space and your AWS VPC.
Do you want the most secure way? Or the thing which is reasonably secure you will actually be able to implement without spending $$$s and months of work?
For the latter, use a VPN.