DEV Community

Cover image for πŸ—οΈ AWS 135: The Full Stack - Connecting EC2 to a Private RDS MySQL Database
Hritik Raj
Hritik Raj

Posted on

πŸ—οΈ AWS 135: The Full Stack - Connecting EC2 to a Private RDS MySQL Database

#aws #rds #networking #100daysofcloud

AWS

🌐 Connecting the Dots: Building a Secure Application Architecture

Hey Cloud Architects πŸ‘‹

Welcome to Day 35 of the #100DaysOfCloud Challenge!
Today, we are moving beyond simple infrastructure setup and building a real-world Two-Tier Application. We are provisioning a private Amazon RDS MySQL database and configuring an EC2 Web Server to connect to it securely.

This task is part of my hands-on practice on the KodeKloud Engineer platform, which I highly recommend for anyone looking to master real-world DevOps scenarios.

🎯 Objective

  • Provision a private RDS MySQL instance named devops-rds.
  • Establish passwordless SSH access from the aws-client to devops-ec2.
  • Update Security Groups to allow specific traffic on Ports 3306 (DB) and 80 (Web).
  • Deploy and configure a PHP connection script (index.php) to verify the link.

πŸ’‘ Why Secure DB Connections Matter

Databases should never be exposed to the internet. We use Security Groups as a virtual firewall to ensure only our trusted web server can talk to our database.

πŸ”Ή Key Concepts

  • Private RDS: A database instance that does not have a public IP and is only accessible from within the VPC.

  • Security Group Chaining: Instead of opening ports to everyone, we authorize the Security Group of the EC2 instance to talk to the Security Group of the RDS instance.

  • Passwordless SSH: Using RSA keys allows for automated, secure management of remote servers without manual password entry.

πŸ› οΈ Step-by-Step: Integrated Infrastructure Workflow

πŸ”Ή Phase A: Provision the RDS Instance

  • Engine: MySQL v8.4.5 (Sandbox/Free Tier template).
  • Identifier: devops-rds on a db.t3.micro instance.
  • Credentials: - Master Username: devops_admin
    • DB Name: devops_db
  • Storage: Type gp2 with 5 GiB size.

  • Network: Set to Private (No Public Access).

πŸ”Ή Phase B: Secure SSH Access (Client to EC2)

  • Key Generation: On the aws-client host, check for /root/.ssh/id_rsa. If it's missing, generate it: ssh-keygen -t rsa -N ""
  • Authorized Keys: Copy the content of /root/.ssh/id_rsa.pub and paste it into the /root/.ssh/authorized_keys file on the devops-ec2 instance.

πŸ”Ή Phase C: Networking & Security Groups

  • RDS Security Group: Add an Inbound Rule for MYSQL/Aurora (Port 3306). Set the source to the Security Group ID of your devops-ec2.
  • EC2 Security Group: Add an Inbound Rule for HTTP (Port 80) from anywhere (0.0.0.0/0) so you can view the result in your browser.

πŸ”Ή Phase D: Application Deployment

  • File Transfer: Copy the index.php from aws-client to the EC2 instance: scp /root/index.php root@<EC2_PUBLIC_IP>:/var/www/html/
  • Configuration: Edit the index.php file on the EC2 instance to include your RDS Endpoint, Username, Password, and Database Name.

βœ… Verify Success

  • Browser Test: Paste the Public IP of devops-ec2 into your browser.
  • Confirm: πŸŽ‰ If you see the message "Connected successfully", mission accomplished! Your web server is successfully communicating with your private database.

πŸ“ Key Takeaways

  • πŸš€ Zero Trust: We kept the DB private and only allowed specific traffic from the web server.
  • πŸ›‘οΈ Endpoint vs IP: Always use the RDS Endpoint URL in your application code, as the underlying IP of the RDS can change.
  • πŸ“¦ Automation: Using SSH keys and automated file transfers (SCP) makes your deployment pipeline much faster.

🚫 Common Mistakes

  • Security Group Miss: Forgetting to allow 3306 on the RDS side will cause a "Connection Timed Out" error.
  • Wrong DB Port: MySQL default is 3306. Ensure your Security Group matches the RDS configuration.
  • PHP Permissions: Ensure the web server (Apache/Nginx) has permission to read the index.php file in /var/www/html/.

🌟 Final Thoughts

You’ve just built a secure, scalable two-tier architecture! This is the foundation of almost every modern web application. By keeping the database private and strictly controlling traffic, you’ve implemented industry-standard security.

🌟 Practice Like a Pro

If you want to try these tasks yourself in a real AWS environment, check out:
πŸ‘‰ KodeKloud Engineer - Practice Labs

It’s where I’ve been sharpening my skills daily!

πŸ”— Let’s Connect

Top comments (0)