[Additional Note] My impressions after connecting to RDS using EC2 Instance Connect Endpoint
This is Oniumi (@fat47) from the Service Reliability Group (SRG) of the Technology Headquarters.
#SRG(Service Reliability Group) mainly provides cross-sectional support for the infrastructure of our media services, improving existing services, launching new ones, contributing to OSS, etc.
This article is located in SRGDBWGWe will publish materials regarding the database that the (DB Working Group) provides to the entire company.
I hope this helps in some way.
[6/28 Update] I can no longer connect to ports other than SSH and RDPIntroductionHow to connect to Aurora from your local environmentCreate the necessary security groupsCreating a VPC EndpointAdd a security group to AuroraBuild a tunnelTry hitting Aurora from your local environmentThoughtsThe maximum session time is 1 hour (3600 seconds) and cannot be extended beyond that.Vulnerable to AZ failuresDB operations can also be performed from Github ActionsConclusion
[6/28 Update] I can no longer connect to ports other than SSH and RDP
This is probably not the usage that AWS had in mind. Currently, an error occurs when using ports other than TCP22 and TCP3389, so the following method cannot be used.
I'm sorry.
Introduction
EC2 Instance Connect Endpoint, which allows you to connect to environments that do not have public IP addresses, has been a hot topic recently.
This is a record of actually trying out this article by Classmethod.
The EC2 Instance Connect Endpoint itself is explained in detail in this official AWS blog post.
How to connect to Aurora from your local environment
Create the necessary security groups
Create the following two security groups:
- SG to allow outbound 3306 for VPC endpoints
- SG to allow inbound 3306 from VPC endpoint for Aurora instance
Creating a VPC Endpoint
Click [VPC] → [Endpoints] → [Create Endpoint].
Enter a suitable name in the Name tag and select EC2 Instance Connect Endpoint in the Service category.
For the security group, select the security group for the VPC endpoint you just created.
Create an endpoint by specifying the VPC and subnet.
Add a security group to Aurora
If you already have an Aurora cluster running, add the security group for Aurora that you just created to it.
Select the RDS instance → Change
Build a tunnel
Create a tunnel using the aws ec2-instance-connect open-tunnel command.
You can check the private IP address of Aurora by typing the nslookup command for the Aurora endpoint you want to connect to.
Try hitting Aurora from your local environment
We're connected!
Thoughts
The maximum session time is 1 hour (3600 seconds) and cannot be extended beyond that.
--max-tunnel-durationWhen connecting to RDS and submitting a heavy query, if it takes more than an hour the connection will be disconnected.
With Session Manager, you can extend it up to 24 hours.
Vulnerable to AZ failures
As mentioned in other blog posts, currently only one VPC endpoint can be created per VPC. There does not appear to be any limit extension available at this time.
Therefore, if a failure occurs in the AZ you created, you may not be able to connect.
DB operations can also be performed from Github Actions
You can connect to RDS (Aurora) in a private subnet environment, so
For example, by using OIDC or an access key to authenticate with AWS using Github Action, you can connect to and operate a database in a private subnet.
Conclusion
It was a welcome update that made it possible to connect to RDS and other services without the need for an EC2 jumping-off point.
I would like to clarify the key points of each of the traditional bastion configuration, Session Manager, and EC2 Instance Connect Endpoint so that you can choose the best method.
SRG is looking for people to work with us. If you are interested, please contact us here.