Member-only story
SSM Port Forwarding: Connect to RDS in a private subnet with no SSH (bonus: with PgAdmin)
This post assumes a very basic understanding of VPC, SSH, and bastion/jump boxes. Rights to execute SSM are also assumed.
If you want to secure your database (DB), you will probably host it on a private subnet. To recap, a private subnet is closed to unsolicited connections from the outside world. Unfortunately, this means that even you will be out of the picture.
To solve this problem, people traditionally set up bastions (aka jump boxes) on a public subnet, and use them to connect to the DB through an SSH tunnel. Bastions/jump boxes are hardened servers exposed to the outside world. They work as an entry point to private systems, and they’ll be strict enough to allow only desired parties to connect.
Today we’ll see how we can use jump boxes to connect to your private RDS, but instead of using SSH tunnels, we’re going in with AWS SSM. If you want to get fancy, you can call this process port forwarding.
And a bonus: we’ll connect your PgAdmin to the DB too.
Alright, but why would I stop using SSH Tunnels?
SSH is great, but if you want to step up your cloud security, there are other options now. The downside of SSH tunnels (that I’ve…
