jeffjohnson9046/ssh-tunnel-to-private-rds.sh

## ssh-tunnel-to-private-rds.sh
# Assume the following scenario:
# * You have a bastion/jump server that is publicly available
# * You have an RDS instance that is _not_ publicly accessible, but the bastion can get to it
#
# We have this setup with some of our k8s clusters:  the cluster was created via kops, which _also_ sets up a VPC, a
# bastion server, all that good stuff.  We use a "private" network topology to minimize public access to any of the
# resources in the cluster.
#
# We _also_ create our RDS instances in the same VPC.  The bastion and nodes get access to the RDS instance, but it isn't
# available to us common folk out here on the internet.  That's good; we want to minimize access to the database, too.
#
# But if we common folk want to query the RDS database(s) from our local machines, well... we can't.  Because they're
# locked up tight in the VPC.  However, if I can ssh into the bastion server (because I have the private key), then I can
# use port-forwarding to query the RDS from my workstation.  Here's how:

ssh -i /path/to/private/key -N -L [local port]:[RDS host name]:[RDS port] [bastion user]@[bastion host name] -v

# For example:
ssh -i ~/.ssh/my-test-cluster.pem -N -L 5433:my-test-cluster-postgres.aws-randomization.us-west-1.rds.amazonaws.com:5432 admin@my-bastion.k8s-test.com -v

# To run this command in the background, add an & at the end:
ssh -i /path/to/private/key -N -L [local port]:[RDS host name]:[RDS port] [bastion user]@[bastion host name] &

# NOTE:  If you don't add the -v or the &, this command won't return; it'll appear to hang, but it's actually doing the forwarding for you.

# In another window on your workstation, you can connect to and query against the RDS instance, by connecting to your
# localhost and providing the right credentials:

psql -h 127.0.0.1 -p 5433 -U app-user app-db
Password for user app-user:
Time: 32.704 ms
psql:/Users/jeff.johnson/.psqlrc:49: WARNING:  25P01: there is no transaction in progress
LOCATION:  EndTransactionBlock, xact.c:3623
Time: 87.466 ms
psql (9.6.16, server 9.6.12)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

app-user@127:5433/app-db>
	# Assume the following scenario:
	# * You have a bastion/jump server that is publicly available
	# * You have an RDS instance that is _not_ publicly accessible, but the bastion can get to it
	#
	# We have this setup with some of our k8s clusters: the cluster was created via kops, which _also_ sets up a VPC, a
	# bastion server, all that good stuff. We use a "private" network topology to minimize public access to any of the
	# resources in the cluster.
	#
	# We _also_ create our RDS instances in the same VPC. The bastion and nodes get access to the RDS instance, but it isn't
	# available to us common folk out here on the internet. That's good; we want to minimize access to the database, too.
	#
	# But if we common folk want to query the RDS database(s) from our local machines, well... we can't. Because they're
	# locked up tight in the VPC. However, if I can ssh into the bastion server (because I have the private key), then I can
	# use port-forwarding to query the RDS from my workstation. Here's how:

	ssh -i /path/to/private/key -N -L [local port]:[RDS host name]:[RDS port] [bastion user]@[bastion host name] -v

	# For example:
	ssh -i ~/.ssh/my-test-cluster.pem -N -L 5433:my-test-cluster-postgres.aws-randomization.us-west-1.rds.amazonaws.com:5432 admin@my-bastion.k8s-test.com -v

	# To run this command in the background, add an & at the end:
	ssh -i /path/to/private/key -N -L [local port]:[RDS host name]:[RDS port] [bastion user]@[bastion host name] &

	# NOTE: If you don't add the -v or the &, this command won't return; it'll appear to hang, but it's actually doing the forwarding for you.

	# In another window on your workstation, you can connect to and query against the RDS instance, by connecting to your
	# localhost and providing the right credentials:

	psql -h 127.0.0.1 -p 5433 -U app-user app-db
	Password for user app-user:
	Time: 32.704 ms
	psql:/Users/jeff.johnson/.psqlrc:49: WARNING: 25P01: there is no transaction in progress
	LOCATION: EndTransactionBlock, xact.c:3623
	Time: 87.466 ms
	psql (9.6.16, server 9.6.12)
	SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
	Type "help" for help.

	app-user@127:5433/app-db>