In a previous article I wrote, https://gristoi.medium.com/deploy-an-ec2-with-a-separate-rds-instance-24a5b37cc698, I discussed how to move your database out from the same server and host it in a private subnet to stop those naughty sniffers. But the one fundamental question that I did not answer was how the hell do ‘I’ get to my database???. Well in this article i am going to briefly explain how this is achieved. There are various methods to achieve this, including setting up VPNs, but i’m going for the cost effective approach of using a basiton server.
What is a bastion server?
Well this is a good question, so let’s look at what we ended up from the last article below. Basically we now have our Wordpress EC2 sitting in a public subnet and accessible to the internet, and our RDS in a private subnet only accessible to the EC2.
So what is a bastion server and where doe sit fit in. well a bastion server ( sometimes referred to as a jump box )is nothing more than a hardened, empty , EC2 instance that is secured to the ip of a single source ( office ip for example ) using security groups and locked down with a stand alone ssh key pair. It is used to proxy from the internet, forwarding your request securely to your required resource. In our case it is the RDS instance. So our extended setup will now look like this:
So we need to do 3things:
- Spin up a nano EC2 instance ( or whatever your free tier allows)
- alter our RDS security group to allow access from our bastion security group
- Set up our SQL editor. We will be using Workbench in this example.
Spin up a nano EC2 instance
This is the easy part. Launch a new EC2 nano / micro instance and choose all of the defaults until you get to the tags section. Ddd a tag called Name with the value bastion-server.
On the security group section name it bastion-server, it will have one rule already to allow port 22 access to everyone. select ‘to my ip only’ in the dropdown.
Progress onto the final page where you are asked to create a key pair and create a new key-pair called bastion-server. This will download a file to your pc called ‘bastion-server.pem’. Copy this file into your ~/.ssh directory. Launch your instance.
Alter the RDS security group to allow access from our bastion server
Next, head over to the EC2 dashboard and select ‘security groups’ from the left hand menu. you should now see something similar to below. Take note of the bastion-server security group id.
So now we go into our wordpress-rds security group and emand it , adding our bastion server into the mix.
And that is it. we are good to go.
Set up our SQL editor
Lets add a new connection:
On the setup page we now just set it to connect over ‘standard TCP/IP over ssh’.
The setup is split into 2 sections, the top half relates to the connection between you and the bastion server. So the SSH hostname is either your EC2s hostname or public ip address ( Theres is a small caveat to this that we will discuss later ), the username is whatever your default username for the EC2 instance is, as i used their Amazon 2 linux AMI it is ec2-user. You have no password as you are using the SSh key file, so select the bastion-server.pem you moved to your ssh folder.
The bottom section are the login details for your rds, so the RDS endpoint url, username and password.
Click on test connection .
Congratulations! you are now securely connected.
Caveats
So, as i discussed earlier there are a couple of small things you need to take on board.
- Make sure you stop the bastion instance when you dont need it, both for cost and security. It takes 2 seconds to spin back up.
- If you do get into the habit of stopping and starting then i would advise attaching an elastic ip to the instance. This ensures that no matter when it stops and starts it will always retain the same public ip address
thanks, enjoy