About SRGTechnical articleRecruitment Information
About SRGTechnical articleRecruitment Information
HOME/Technical article/[Update added] My impressions of connecting to RDS using EC2 Instance Connect Endpoint

[Update added] My impressions of connecting to RDS using EC2 Instance Connect Endpoint

This is Onikai (@fat47) from the Service Reliability Group (SRG) of the Technology Division.
#SRGThe Service Reliability Group primarily provides comprehensive support for the infrastructure surrounding our media services, focusing on improving existing services, launching new ones, and contributing to open-source software (OSS).
This article is located within SRG.DBWGThe DB Working Group is releasing database-related materials that it provides to the entire company.
I hope this is of some help.
 
 

[Updated 6/28] It is no longer possible to connect to ports other than SSH and RDP.

It seems this wasn't the intended use case for AWS. Currently, errors occur on ports other than TCP 22 and TCP 3389, so the method below is no longer usable.
That's a shame.

Introduction

The EC2 Instance Connect Endpoint, which allows connections to environments without public IP addresses, has been a hot topic recently.
 
This is a record of my experience trying out the method described in this article by Classmethod.
 
The EC2 Instance Connect Endpoint itself is explained in detail in this AWS official blog post.

The process of connecting to Aurora from your local environment.

Create the necessary security groups

Create the following two security groups:
  • Allow outbound port 3306 for VPC endpoints in Security Group (SG)
 
  • Allow inbound port 3306 from the VPC endpoint for Aurora instances in Security Group (SG)
 

Creating a VPC endpoint

Click [VPC] → [Endpoints] → [Create endpoint].
Enter a suitable name in the Name tag field and select EC2 Instance Connect Endpoint in the Service Category.
For the security group, select the security group for the VPC endpoint that you just created.
Create an endpoint by specifying the VPC and subnet.

Assign a security group to Aura.

If you already have an Aurora cluster running, assign the Aurora security group you just created to it.
Select the RDS instance → Change
 

Build a tunnel

We will use the `aws ec2-instance-connect open-tunnel` command to establish a tunnel.
 
You can find the private IP address of an Aurora by using the nslookup command or similar to access the Aurora endpoint you want to connect to.
 

Trying to run Aurora from a local environment

It connected!
 

Impressions

The maximum session time is 1 hour (3600 seconds) and cannot be extended beyond that.

--max-tunnel-duration
If you connect to RDS and submit a heavy query that takes more than an hour, the connection will be terminated.
With Session Manager, you can extend it up to a maximum of 24 hours.
https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/permissions-for-ec2-instance-connect-endpoint.html
 

Vulnerable to AZ failure

As mentioned in other blog posts, currently only one VPC endpoint can be created per VPC. There also doesn't seem to be any way to request an increase in this limit at the moment.
Therefore, if a failure occurs in the created Availability Zone (AZ), it is possible that you will lose connectivity.
 

You can also perform database operations from GitHub Actions.

Since it can connect to RDS (Aurora) in a private subnet environment,
For example, by using OIDC or an access key to authenticate with AWS in GitHub Actions, you can connect to and operate on a database in a private subnet.

In conclusion

The ability to connect to RDS and other services without needing an EC2 jump host was a welcome update.
We want to clarify the key points of the traditional jump host configuration, Session Manager, and EC2 Instance Connect Endpoint so that we can choose the best method.
 
SRG is looking for new team members. If you are interested, please contact us here.