Last active
June 24, 2022 21:38
-
-
Save jeffjohnson9046/fda17faf9e69372ce5776a9b09bb715c to your computer and use it in GitHub Desktop.
Connect to a private AWS RDS instance that is only accessible through a bastion (and not the internet)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Assume the following scenario: | |
# * You have a bastion/jump server that is publicly available | |
# * You have an RDS instance that is _not_ publicly accessible, but the bastion can get to it | |
# | |
# We have this setup with some of our k8s clusters: the cluster was created via kops, which _also_ sets up a VPC, a | |
# bastion server, all that good stuff. We use a "private" network topology to minimize public access to any of the | |
# resources in the cluster. | |
# | |
# We _also_ create our RDS instances in the same VPC. The bastion and nodes get access to the RDS instance, but it isn't | |
# available to us common folk out here on the internet. That's good; we want to minimize access to the database, too. | |
# | |
# But if we common folk want to query the RDS database(s) from our local machines, well... we can't. Because they're | |
# locked up tight in the VPC. However, if I can ssh into the bastion server (because I have the private key), then I can | |
# use port-forwarding to query the RDS from my workstation. Here's how: | |
ssh -i /path/to/private/key -N -L [local port]:[RDS host name]:[RDS port] [bastion user]@[bastion host name] -v | |
# For example: | |
ssh -i ~/.ssh/my-test-cluster.pem -N -L 5433:my-test-cluster-postgres.aws-randomization.us-west-1.rds.amazonaws.com:5432 admin@my-bastion.k8s-test.com -v | |
# To run this command in the background, add an & at the end: | |
ssh -i /path/to/private/key -N -L [local port]:[RDS host name]:[RDS port] [bastion user]@[bastion host name] & | |
# NOTE: If you don't add the -v or the &, this command won't return; it'll appear to hang, but it's actually doing the forwarding for you. | |
# In another window on your workstation, you can connect to and query against the RDS instance, by connecting to your | |
# localhost and providing the right credentials: | |
psql -h 127.0.0.1 -p 5433 -U app-user app-db | |
Password for user app-user: | |
Time: 32.704 ms | |
psql:/Users/jeff.johnson/.psqlrc:49: WARNING: 25P01: there is no transaction in progress | |
LOCATION: EndTransactionBlock, xact.c:3623 | |
Time: 87.466 ms | |
psql (9.6.16, server 9.6.12) | |
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) | |
Type "help" for help. | |
app-user@127:5433/app-db> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment