Connecting to Amazon RDS instance through EC2 instance using MySQL Workbench

Question

In AWS I have a VPC set up with a Bastion Host. The bastion host is a single EC2 instance with a public address trough which you can SSH to any other server on the VPC.

Answer 1

If you want to truly use the VPC connectivity of AWS and not allow public IPs do the following.

If you have one security group that both your EC2 and RDS are assigned to then add an inbound rule for mysql 3306 on TCP but in the source field do not put IP or subnet but the actual security group ID. ie sg-9829f3d2.

I personally have two security groups on VPC.

The first, security group 1 is in use by the EC2 instance and only allows the ports required for the EC2, ie 80 and 22.

The second, security group 2 is in use by just the RDS instance(s) and has one rule for allowing mysql (3302) and the source field is set to the id of security group 1.

All the Mysql workbench SSH tunnelling works with the two security groups as well.

Answer 2

This is for UBUNTU Mysql workbench

You must add an inbound rule to the security group linked with the RDS to accept requests on port 3306 from the bastion/jump/any instance(machine). The machine should have a public IP associated with it.

Do confirm on your machine if you can connect with the RDS or not first, before trying to setup the SSH tunnel through MYSQL workbench.

To test connectivity run:

mysql -u{username} -p{password} -h ***-db-***.cmmaberpdqoc.***.rds.amazonaws.com -P 3306

Replace {username}, {password} and host with your credentials.

Follow the picture and you should be able to connect.

Answer 3

Since you are using a VPC, this is how it should be configured in order to accept connections from your sub-net only:

1. select VPC Security Group used by your db instance

2. add a new rule to allow all ips from your private sub-net on port 3306

   ex: Rule INBOUND 3306 (MYSQL) 172.33.11.0/24

3. use mysql workbench tcp/ssh and it will work (follow AndrewSmiley answer).

Answer 4

You can create an SSH tunnel into your Bastion host (EC2 instance) to forward ports from your local machine to the remote RDS instance.

on mac/ linux this is the command (for windows follow instructions in the link below):

ssh -L 3306:myinstance.123456789012.us-east-1.rds.amazonaws.com:3306  your_c2_ip

then you can connect with workbench using the following settings:

• connection method: standard TCP

• hostname: localhost

• port 3306

This post explains it the method in more detail; https://userify.com/blog/howto-connect-mysql-ec2-ssh-tunnel-rds/

Answer 5

This is what solved the issue for me. On the RDS dashboard have a look at the security group for your instance. Click on this and it would take you to the security group page.

Although it would say "All traffic" for both Inbound and Outbound click edit and ensure the source says My IP. I would not recommend using all IP's as this would open it to any one on the internet. If you do not have a static IP then ensure that you refresh this field once the connection stops working.

After this I was able to connect to the AWS RDS T2 instances.

Answer 6

I recommend using SSH tunneling:

1. Create putty session to the bastion host
2. Under Connection --> SSH --> Tunnels, specify the Source port: 3306, Destination: yourRDSendpointname:3306
3. Don't forget to click add!
4. Connect to the bastion host with those settings
5. Add a new connection in MySQL workbench and point it to your localhost port 3306 (assuming you aren't running anything on 3306 on your local client machine)
6. Put in your username and password for your RDS instance