Open in app

Sign in

Write

Sign in

Connect to AWS RDS (Private Endpoint) from local MySQL Workbench

VerticalServe Blogs
3 min readAug 13, 2024

--

Connecting to an AWS RDS database without a public IP from your computer’s MySQL Workbench can be achieved using an SSH tunnel. This method allows you to securely connect to your RDS instance through a bastion host or an EC2 instance that has access to the RDS database. This blog post will guide you through setting up an SSH tunnel and configuring MySQL Workbench to connect to your RDS instance.

Prerequisites

  1. AWS RDS Instance: Ensure you have an RDS instance running in a private subnet.
  2. Bastion Host/EC2 Instance: Set up an EC2 instance in a public subnet with SSH access to act as a bastion host.
  3. MySQL Workbench: Install MySQL Workbench on your local machine.

Step-by-Step Guide

1. Set Up the Bastion Host

  • Launch an EC2 Instance: Create an EC2 instance in a public subnet of the same VPC as your RDS instance. Ensure it has SSH access (port 22) from your local machine’s IP address.
  • Security Groups: Configure the security group of your RDS instance to allow inbound MySQL traffic (port 3306) from the EC2 instance’s private IP.

2. Configure SSH Tunnel

  • SSH Key: Ensure you have the PEM file for the EC2 instance. Set the correct permissions using:
chmod 400 path/to/your-key.pem

SSH Config File: Edit or create the SSH config file at ~/.ssh/config and add the following configuration:

Host bastion
    HostName your-bastion-public-ip
    User ec2-user  # or ubuntu, depending on your AMI
    IdentityFile path/to/your-key.pem

Host rds-tunnel
    HostName your-rds-endpoint
    User ec2-user
    ProxyCommand ssh -W %h:%p bastion
  • Host bastion: Configuration for connecting to the bastion host.
  • Host rds-tunnel: Configuration for tunneling through the bastion host to the RDS instance.

3. Set Up MySQL Workbench

  • Open MySQL Workbench: Launch MySQL Workbench on your local machine.
  • Create a New Connection:
  • Go to Database > Manage Connections.
  • Click New to create a new connection.
  • Connection Settings:
  • Connection Name: Enter a name for your connection.
  • Connection Method: Select “Standard TCP/IP over SSH”.
  • SSH Hostname: Enter bastion (as configured in your SSH config file).
  • SSH Username: Enter ec2-user or ubuntu.
  • SSH Key File: Browse to your PEM file.
  • MySQL Hostname: Enter rds-tunnel (as configured in your SSH config file).
  • MySQL Server Port: Enter 3306.
  • Username: Enter the master username of your RDS instance.
  • Password: Enter the password for your RDS instance.
  • Test Connection: Click Test Connection to ensure everything is set up correctly.

4. Troubleshooting

  • Security Group Rules: Ensure the security group rules for both the EC2 instance and RDS instance are correctly configured to allow necessary traffic.
  • SSH Key Permissions: Ensure the PEM file has the correct permissions (chmod 400).
  • Firewall and Network: Verify that your local firewall or network settings allow outbound SSH connections.

Conclusion

By setting up an SSH tunnel through a bastion host, you can securely connect to your AWS RDS instance without exposing it to the public internet. This method enhances security while allowing you to manage your database using MySQL Workbench. This setup is particularly useful for environments where direct public access to the database is not permitted.

About:

VerticalServe Inc — Niche Cloud, Data & AI/ML Premier Consulting Company, Partnered with Google Cloud, Confluent, AWS, Azure…60+ Customers and many success stories..

Website: http://www.VerticalServe.com

Contact: contact@verticalserve.com

Successful Case Studies: http://verticalserve.com/success-stories.html

InsightLake Solutions: Our pre built solutions — http://www.InsightLake.com

AWS
MySQL

--

--

VerticalServe Blogs

Written by VerticalServe Blogs

23 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams