When deploying application servers or databases within private subnets following best security practices, it is essential to establish a robust system for resource management and access. This ensures efficient resource management and facilitates effective troubleshooting when necessary. How can you securely access it by creating tunnelling using an SSM document?
Why go with this approach and tunnel through a bastion host? The key advantage is that SSM records all connections in CloudWatch for audit and security; plus, it's an additional way to connect to private resources.
This solution enables the creation of a tunnel to access other private resources, such as EC2 instances and RDS.
In this blog post, I will show how to create tunnelling to RDS or any EC2 resources within that private subnet while maintaining security using the SSM document.
This is a short step-by-step guide to help you establish a secure connection to your RDS instance.
By the end of this article, you'll clearly understand how to access your RDS instance using SSM documents, keeping your network safe. All the connections established via SSM are recorded in CloudWatch for audit and security purposes.
Pre-Requirements:
- I assume you've already set up a Bastion host in your public subnet so that the host can establish communication with the RDS instance, and your public IP is whitelisted and has access to the Bastion host. We'll rely on the AWS-StartPortForwardingSessionToRemoteHost SSM document for tunnelling purposes.
To perform this task, you should have the AWS CLI installed and configured on your machine and the necessary permissions granted to your IAM user.
** We are ready to go ... **Step 1: in your host file /etc/hosts, add the record for the RDS endpoint we will use later to access using the database client to connect to the RDS instance
localhost <rds-endpoint>
- Step2: Run the following command to create a tunnel
aws --profile <aws_profile> ssm start-session --target <bastion-host-ec2-id> --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host=<rds-endpoint-name>,portNumber=5432,localPortNumber=5433
Wait until the connection is established; you can connect to the database using the below command or use your favourite DB management tool, PGAdmin or MySQLWorkbench if it is MySQL Database.
Here is the screenshot from Session Manager:
- Step3: Connect using psql cli
psql -h 127.0.0.1 -p 5433 -U postgres
Top comments (0)