Is there a way to have AWS RDS Public Accessibility = No but still accessible outside of EC2 instance?

Asked 23/4, 2019 at 7:20 Answered 5/3, 2021 at 16:22

Solved mysql amazon-web-services amazon-vpc rds aws-security-group

For management-related reasons, I need the Public Accessibility option set to "No" for the RDS.

However, we're also looking into being able to access the RDS from our local devices. The only way we're able to do so is by selecting "Yes" in Public Accessibility. Of course, the VPC, Gateway, Subnet, and Security Groups are already set with the appropriate public-facing stuff, which is probably why the Yes option is working.

But the moment we set it to No, only the EC2 instances are now able to connect to the database.

Is there a way around this or is that really what the Public Accessibility flag does by design?

Thanks in advance.

Marcellusmarcelo answered 23/4, 2019 at 7:20 Comment(3)

You should set up a VPN connection to your VPC – Chauchaucer 23/4, 2019 at 7:23

Ah, I completely forgot about that option. I'll see if management is alright with setting up a VPN. – Marcellusmarcelo 23/4, 2019 at 8:39

If you arrived at this question because you can't get to your RDS despite having a VPN connection, check whether your VPN's ACL lets you connect to TCP port 5432. No way to see this in the AWS console, of course. – Territerrible 12/6 at 1:19

Yes Public Accessibility flag prevent you from accessing the RDS directly through Internet, but you can indirectly access through a jumpserver(like ssh bashtion) which is placed in public subnet. Most of the popular Mysql UI editors like sequel pro has a in build option for ssh config, using this option you can access RDS from local devices. you can also configure tunneling to bastion.

Psf answered 23/4, 2019 at 10:10 Comment(0)

Setting Public Accessibility to "No" will not allow any access from the internet. There are plenty of ways to connect your RDS to your local.

Add your public IP in the security group of your rds database instance
Jump Server / Bastion
VPN / Direct Connect

Your asking for the best approach on how to secure this.. The best option is #3. But to do this, you will need to build your database instance in the private subnet.

How?

Navigate to RDS > Subnet Groups. Create a DB Subnet Group. Select your VPC and the private subnet to use.

Motivity answered 26/4, 2019 at 20:36 Comment(2)

Hey, I have tried the 1st method (add my ip addr to the security group of my rds) but I still have to have Public Accessibility option set to "Yes" to have a connexion from an outside client... Have you personally tried that option ? If yes, do you have more details to share about it? Also the 3rd option seems interesting, any pointers to some doc/tutorials? Thanks! – Moorman 1/1, 2020 at 21:1

same, it looks like the first option is not possible if Public Accessibility is set to No – Garget 4/4, 2020 at 18:56

As @user11389395 mentioned, you must have Public Accessibility set to "Yes" in the RDS "Modify" page (this won't cause any outage of your database, or cause it to go down).

Once you have enabled it, you must jump into the Security Group that your RDS server is on, add an Inbound rule with the TCP Protocol, port 3306 (if using MySQL), and then in the Source dropdown, select "My IP":

When you select "My IP", you should see the source input field gray out and display your public IP address. You can confirm this public IP address by checking it online through Google. This grants only your public IP address access to your RDS database through the internet.

Once you save the rule, you should then be able to connect using TablePlus (or another SQL client) from your local computer by entering your RDS "Endpoint" (shown on the RDS "Connectivity and Security" tab) as the hostname, and your master username and password.

Newtonnext answered 5/3, 2021 at 16:22 Comment(1)

I tried what you suggested but I couldn't get it to run. It seems like it may no longer behave the same way. – Lepidolite 5/4 at 14:41

Recommended topics

Hot tags