• Access RDS on a private VPC subnet

    01 March 2015
    Tags: cloud 

    I recently migrated my Elastic Beanstalk application from EC2 classic to VPC. Moving to VPC has many advantages. The first of which is the ability to control your own IP space. This allows you to make your cloud's IP space match you data center. VPC also has some added security benefits. The added security is achieved by moving RDS instances (or anything else you want) to a private subnet that is only accessible via your public facing EC2 instances. This isn't a huge improvement because security groups already did a good job of restricting RDS access to EC2 instances but VPC segmentation does add another layer of protection. Another benefit to migrating is cost. VPC supports the new T2 instances which are the cheapest EC2 instances offered on AWS.

    Unfortunately most methods of accessing your privately subnetted RDS instances can add to your monthly AWS bill. I wanted an option that didn't add to my monthly AWS bill so that eliminated using VPC's VPN feature or a dedicated VPN appliance. Fortunately the solution was simple and already baked into the Elastic Beanstalk CLI tool. All I had to do was install the Elastic Beanstalk CLI tool and use EB SSH to connect directly to my EC2 instance. Then I installed the MySQL client on my EC2 instance and saved it as an AMI. Next I set the AMI image as the default image for my Elastic Beanstalk application. That way any instance I connect to has the MySQL tools I need. So now I can manage my private RDS instance for no added cost.

    More info: EB CLI setup