Securely connecting external tools to your RDS database (via TCP/IP)

You often want to connect external tools, like Postico, MySQLWorkbench and Trevor.io (disclaimer: I work here), to your Amazon RDS database.

There are two common methods for doing this:

1. Connecting directly to the database (via TCP/IP) which is explained below.
2. Connecting indirectly via a bastion host (TCP/IP over SSH).

Connecting directly to the database (via TCP/IP)

Connecting directly to the database means connecting directly to the server instance on which your database is running.

First thing you need to check is that your database has Public accessibility set to Yes (see image below, taken from the “Connectivity and security” section from my RDS instance in the AWS console)

Without this, the database will not be assigned a publicly accessible IP address and thus will only be visible inside your Amazon VPC (so you’ll need to use SSH instead).

You will then need to provide your external tool with the following values:

• Database host (see “Endpoint” in the screenshot from AWS console above).
• Database port (also shown in the image above — usually 5432 for Postgres, 3306 for MySQL and 5439 for Redshift).
• Database username (the username for the database user you want to connect with)
• Database password (the password for the database user you want to connect with)
• Database name (the name of the database that you want to connect to)

The final thing you need to do is add Inbound rules to the VPC Security Group your database is connected to. There is a link directly to this Security Group in the AWS console (see “VPC security groups” in the image below).

The inbound rules specify which IP addresses are allowed to connect to which ports. You therefore want to allow a connection to the correct port for your database (usually 5432 for Postgres, 3306 for MySQL and 5439 for Redshift).

In the image above, for example, we are saying that any IP address (0.0.0.0/0 is like a wildcard, meaning connections from anywhere) can connect to port 5432 (the PostgreSQL database port).

Alternatively, you may wish to be more specific by restricting access to particular IP addresses (e.g. your office IP address).

Here we have specified that connections from Trevor.io’s static IP addresses (34.192.31.89 and 34.192.37.108) are the only IP addresses that can connect to port 5432 via TCP.

Success

And that is it. You have now set up secure access to your RDS database instance. You can now connect directly to your database from your office or cloud services.

Why not try it out by connecting from one of these wonderful database tools:

• Postico
• MySQLWorkbench
• Trevor.io (disclaimer again: I still work here ;))

If this article was helpful to you, please clap and share.