Securely Connecting to Amazon RDS Using an SSH Tunnel

Introduction

Amazon RDS (Relational Database Service) is a managed database service that simplifies database operations such as setup, scaling, and maintenance. If your Amazon RDS instance is in a private subnet and not directly accessible from the public internet, you can connect to it securely using an SSH tunnel. This guide will walk you through the steps to set up an SSH tunnel and connect to your Amazon RDS database using PGAdmin.

Prerequisites

1. Amazon RDS Instance: Ensure you have an Amazon RDS PostgreSQL instance set up in your AWS account.
2. Bastion Host (Jump Server): A bastion host is needed to bridge your private subnet.
3. SSH Client: Ensure you have an SSH client installed (e.g., OpenSSH).
4. PGAdmin Installed: Download and install PGAdmin if you haven’t already.
5. Permissions: Ensure your AWS IAM user or role has permission to connect to the bastion host and access the Amazon RDS instance.

Step-by-Step Guide

Step 1: Configure Security Groups
1. Bastion Host Security Group:
– Allow SSH (port 22) access from your local machine’s IP address.
2. Amazon RDS Security Group:
– Ensure the security group associated with the Amazon RDS instance allows inbound connections on port 5432 (PostgreSQL default port) from the bastion host.

Step 2: Identify Connection Details
– Bastion Host: Note the public IP address or DNS of your bastion host.
– Amazon RDS Endpoint: Obtain the endpoint from the Amazon RDS console.
– Private Key File: Locate the private key file for your bastion host.

Step 3: Set Up an SSH Tunnel
An SSH tunnel forwards traffic from a local port on your machine to the Amazon RDS instance via the bastion host. Use the following command to create the tunnel:

– Replace /path/to/private-key.pem with the path to your private key.
– Replace <rds-endpoint> with your Amazon RDS endpoint (e.g., http://mydb.abcdefgh123.us-east-1.rds.amazonaws.com).
– Replace <bastion-host-public-ip> with the bastion host’s public IP or DNS.
– The 5433 is the local port on your machine; you can use a different local port if needed.
Keep this terminal open while using the tunnel.

Step 4: Configure PGAdmin
1. Open PGAdmin: Launch PGAdmin on your local machine.

2. Create a New Server:
   – In PGAdmin, right-click on “Servers” in the navigation pane and select “Create” > “Server”.
3. General Tab:
– Enter a name for your server (e.g., “RDS Tunnel”).

4. Connection Tab:
   – Hostname/Address: Enter localhost.
   – Port: Enter 5433 (the local port you used in the SSH command).
   – Maintenance Database: Enter the name of your database (e.g., Postgres by default).
   – Username: Enter your database username.
   – Password: Enter your database password.
5. Save Settings:
   – Click “Save” to connect to the database.

Step 5: Test the Connection
– Once configured, PGAdmin will attempt to connect to the database through the SSH tunnel. If everything is set up correctly, you can manage your Amazon RDS PostgreSQL instance through PGAdmin.
Troubleshooting Tips
– SSH Tunnel Not Working: Ensure the bastion host’s security group allows SSH access and that you use the correct private key and username.
– Connection Refused in PGAdmin: Verify that the local port matches the one specified in the SSH command.
– Network Configuration: Ensure the Amazon RDS security group allows connections from the bastion host.
– Database Credentials: Double-check your Amazon RDS username and password.

Conclusion

By following this guide, you can establish the connection and leverage PGAdmin’s features to interact with your database seamlessly.

Drop a query if you have any questions regarding Amazon RDS and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront, Amazon OpenSearch, AWS DMS and many more.