Skip to content

Instantly share code, notes, and snippets.

Last active June 24, 2022 21:38
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Connect to a private AWS RDS instance that is only accessible through a bastion (and not the internet)
# Assume the following scenario:
# * You have a bastion/jump server that is publicly available
# * You have an RDS instance that is _not_ publicly accessible, but the bastion can get to it
# We have this setup with some of our k8s clusters: the cluster was created via kops, which _also_ sets up a VPC, a
# bastion server, all that good stuff. We use a "private" network topology to minimize public access to any of the
# resources in the cluster.
# We _also_ create our RDS instances in the same VPC. The bastion and nodes get access to the RDS instance, but it isn't
# available to us common folk out here on the internet. That's good; we want to minimize access to the database, too.
# But if we common folk want to query the RDS database(s) from our local machines, well... we can't. Because they're
# locked up tight in the VPC. However, if I can ssh into the bastion server (because I have the private key), then I can
# use port-forwarding to query the RDS from my workstation. Here's how:
ssh -i /path/to/private/key -N -L [local port]:[RDS host name]:[RDS port] [bastion user]@[bastion host name] -v
# For example:
ssh -i ~/.ssh/my-test-cluster.pem -N -L -v
# To run this command in the background, add an & at the end:
ssh -i /path/to/private/key -N -L [local port]:[RDS host name]:[RDS port] [bastion user]@[bastion host name] &
# NOTE: If you don't add the -v or the &, this command won't return; it'll appear to hang, but it's actually doing the forwarding for you.
# In another window on your workstation, you can connect to and query against the RDS instance, by connecting to your
# localhost and providing the right credentials:
psql -h -p 5433 -U app-user app-db
Password for user app-user:
Time: 32.704 ms
psql:/Users/jeff.johnson/.psqlrc:49: WARNING: 25P01: there is no transaction in progress
LOCATION: EndTransactionBlock, xact.c:3623
Time: 87.466 ms
psql (9.6.16, server 9.6.12)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment