Outside Access to VPC RDS Instance

Many applications inside Amazon Web Service are using MySQL inside a Virtual Private Cloud (VPC) and not accessible to the outside network. Oftentimes clients will want to connect to the database directly to inspect data, run a visualization tool, or simply connect a locally run application. The solution to this problem is to NAT connections from the application hosts to the RDS instance(s) using an ELB.

internet -> ELB -> webapp server -> RDS instance

The first step in this process is to enable forwarding on the webapp servers by editing /etc/sysctl.conf.

# /etc/sysctl.conf
net.ipv4.ip_forward = 1

Enable the new setting:

sysctl -p

The next step is to add the IPTables rules to route traffic through, first add a destination NAT rule to the PREROUTING table which will intercept all traffic to port 3306 and forward it to the IP:port specificed, then setup masquerading in the POSTROUTING table (another option is to SNAT):

iptables -t nat -A PREROUTING -p tcp --destination-port 3306 -j DNAT --to-destination 10.x.x.x:3306
iptables -t nat -A POSTROUTING -j MASQUERADE

Note that this is not a perfect solution as the RDS instance internal IP address may change at some point. I tried to use the endpoint DNS name but IPTables would not accept that and the man page does indicate that an IP address must be used.

After that, be sure to allow access from the desired IP range on the security group that controls access to the ELB as well as the EC2 instances.






Leave a Reply

Your email address will not be published. Required fields are marked *