![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Rogue Company Elite tier list of best characters [April 2025]](https://media.pocketgamer.com/artwork/na-33136-1657102075/rogue-company-ios-android-tier-cover.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
Connecting to a Private RDS Instance via an EC2 Proxy
Context To enhance security, RDS instances are typically placed in a private subnet within a VPC, making them inaccessible from outside the VPC. In dev/test environment, this can pose a challenge when you need to connect to the database from your local machine to test your application. About this solution This solution provides a way to set up a proxy that forwards traffic from your client to the private RDS instance using an EC2 proxy instance. You will setup an EC2 instance, at public subnet that it can receive request from developer. The EC2 instance will forward traffic to RDS instance at private subnet Architecture Overview Setup 1. Create EC2 Instance Create an EC2 instance with following setting: AMI: Amazon Linux 2 Kernel 5.10 Instance type: t2.micro Key pair: process without a key pair Network VPC: choose the VPC that same with VPC you are using with RDS instance Subnet: choose public subnet Security Group: allow all inbound traffic Then click Launch instance to create proxy server. 2. Collect RDS instance information To forward traffic to RDS instance, you need to know: DB Endpoint: example.XXXXXXXXXXXX.ap-southeast-1.rds.amazonaws.com DB Port: 3306 or 5432,... 3. Config Firewall For proxy server security group: Inbound: allow Anywhere-Ipv4 (MYSQL/Aurora, PostgreSQL,... depend on your database engine) on port (3306, 5432,... depend on your database port) Outbound: security group of RDS instance. For security group of database instance: Inbound: add additional rule to allow traffic from security group of proxy server. Don't remove any existing rule. Outbound: add additional rule to allow traffic to security group of proxy server. Don't remove any existing rule. 4. Setup Proxy SSH to the EC2 instance and run following commands: yum install haproxy -y Replace content of /etc/haproxy/haproxy.cfg with following values: global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /var/run/haproxy.sock mode 660 level admin user haproxy group haproxy daemon defaults log global option dontlognull option httplog timeout connect 5000ms timeout client 50000ms timeout server 50000ms frontend mysql_front bind *: mode tcp default_backend mysql_back backend mysql_back mode tcp server db_server : check : RDS Endpoint : Database port 5. Test Connection Now you can connect to RDS instance in private subnet by replace the RDS Endpoint with Public IP of EC2 proxy server. 6. Cleanup Resources Delete EC2 proxy server if you no longer need it to reduce cost. Disclaimer This solution is prefer using for dev/test environment. For production workload, be careful when manage firewall to ensure secure connection.
Context
To enhance security, RDS instances are typically placed in a private subnet within a VPC, making them inaccessible from outside the VPC.
In dev/test environment, this can pose a challenge when you need to connect to the database from your local machine to test your application.
About this solution
This solution provides a way to set up a proxy that forwards traffic from your client to the private RDS instance using an EC2 proxy instance.
- You will setup an EC2 instance, at public subnet that it can receive request from developer.
- The EC2 instance will forward traffic to RDS instance at private subnet
Architecture Overview
Setup
1. Create EC2 Instance
Create an EC2 instance with following setting:
-
AMI:
Amazon Linux 2 Kernel 5.10 -
Instance type:
t2.micro -
Key pair:
process without a key pair -
Network
- VPC: choose the
VPC that same with VPC you are using with RDS instance - Subnet: choose
public subnet - Security Group:
allow all inboundtraffic
- VPC: choose the
Then click Launch instance to create proxy server.
2. Collect RDS instance information
To forward traffic to RDS instance, you need to know:
-
DB Endpoint: example.XXXXXXXXXXXX.ap-southeast-1.rds.amazonaws.com -
DB Port: 3306 or 5432,...
3. Config Firewall
-
For proxy server security group:
- Inbound: allow
Anywhere-Ipv4(MYSQL/Aurora, PostgreSQL,... depend on your database engine) on port (3306, 5432,... depend on your database port) - Outbound:
security group of RDS instance.
- Inbound: allow
-
For security group of database instance:
- Inbound: add additional rule to
allow traffic from security group of proxy server. Don't remove any existing rule. - Outbound: add additional rule to
allow traffic to security group of proxy server. Don't remove any existing rule.
- Inbound: add additional rule to
4. Setup Proxy
SSH to the EC2 instance and run following commands:
yum install haproxy -y
Replace content of /etc/haproxy/haproxy.cfg with following values:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /var/run/haproxy.sock mode 660 level admin
user haproxy
group haproxy
daemon
defaults
log global
option dontlognull
option httplog
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend mysql_front
bind *:
mode tcp
default_backend mysql_back
backend mysql_back
mode tcp
server db_server : check
-
-
5. Test Connection
Now you can connect to RDS instance in private subnet by replace the RDS Endpoint with Public IP of EC2 proxy server.
6. Cleanup Resources
- Delete EC2 proxy server if you no longer need it to reduce cost.
Disclaimer
This solution is prefer using for dev/test environment. For production workload, be careful when manage firewall to ensure secure connection.
