Our db is hosted on Amazon. Our web server can connect to the db. Connections to the db are not allowed outside of the web server.
This creates a tunnel from my local machine to the web server:
ssh -N -L 3307:my-rds-db.us-east-1.rds.amazonaws.com:3306 ec2-my-web-server.compute-1.amazonaws.com
-N
-- Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
An example using mysql
:
$ mysql -uusername -h 127.0.0.1 -P 3307 -p
From man ssh
:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given
host and port on the remote side. This works by allocating a socket to listen to port on
the local side, optionally bound to the specified bind_address. Whenever a connection is
made to this port, the connection is forwarded over the secure channel, and a connection
is made to host port hostport from the remote machine. Port forwardings can also be
specified in the configuration file. IPv6 addresses can be specified by enclosing the
address in square brackets. Only the superuser can forward privileged ports. By default,
the local port is bound in accordance with the GatewayPorts setting. However, an explicit
bind_address may be used to bind the connection to a specific address. The bind_address of
``localhost'' indicates that the listening port be bound for local use only, while an empty
address or `*' indicates that the port should be available from all interfaces.
@Fettah @Freelensia, you have to make sure the security group of the RDS database has an inbound rule set up with the IP address (or CIDR) of the bastion host. A simple test to figure this out is:
ssh to the bastion host normally (i.e.
ssh -i "your.pem" your.ec2.host
)mysql -h your.rds.endpoint -u yourdbuser -p
.If it hangs, you have to fix that first with via security group mentioned above. If you can authenticate via MySQL CLI (on bastion), then your SSH commands and port forwarding ssh command will work just fine, and the command will no longer hang.
UPDATE: I had to not use the -N switch, as well.