To create an SSH tunnel to access a private RDS database, you need to establish a connection through a publicly accessible EC2 instance acting as a "jump box" which then forwards your connection to the private database within your VPC, essentially creating a secure tunnel for your data traffic over the public internet.
Key steps involved:
Set up a publicly accessible EC2 instance:
Launch an EC2 instance in a public subnet within your VPC.
Open the necessary ports in the security group for SSH access from your local machine.
Configure the private database:
Ensure your private RDS instance is located in a private subnet with appropriate security group rules allowing connections from the public EC2 instance on the database port.
Establish the SSH tunnel:
Command format: ssh -L <local_port>:<private_database_host>:<private_database_port> user@public_ec2_instance_ip
Explanation:
-L: Specifies that you want to create a local forward tunnel.<local_port>: The port on your local machine that will be used to access the database.<private_database_host>: The private IP address of your RDS instance.<private_database_port>: The port on the RDS instance where your database is listening.user@public_ec2_instance_ip: The username and public IP address of your EC2 jump box.
Code:
ssh -L 33060:my-private-db.mydb.amazonaws.com:3306 ec2-user@54.230.123.45
Important considerations:
Security:
Use strong SSH keys and limit access to the jump box.
Monitor your SSH connections for suspicious activity.
Database access:
Once the tunnel is established, you can connect to your private database using your database client, specifying the local port you forwarded (localhost:33060 in the example above).
