Is there a way to have AWS RDS Public Accessibility = No but still accessible outside of EC2 instance?

Question

For management-related reasons, I need the Public Accessibility option set to "No" for the RDS.

However, we're also looking into being able to access the RDS from our local devices. The only way we're able to do so is by selecting "Yes" in Public Accessibility. Of course, the VPC, Gateway, Subnet, and Security Groups are already set with the appropriate public-facing stuff, which is probably why the Yes option is working.

But the moment we set it to No, only the EC2 instances are now able to connect to the database.

Is there a way around this or is that really what the Public Accessibility flag does by design?

Thanks in advance.

Answer 1

Yes Public Accessibility flag prevent you from accessing the RDS directly through Internet, but you can indirectly access through a jumpserver(like ssh bashtion) which is placed in public subnet. Most of the popular Mysql UI editors like sequel pro has a in build option for ssh config, using this option you can access RDS from local devices. you can also configure tunneling to bastion.

Answer 2

Setting Public Accessibility to "No" will not allow any access from the internet. There are plenty of ways to connect your RDS to your local.

1. Add your public IP in the security group of your rds database instance

2. Jump Server / Bastion

3. VPN / Direct Connect

Your asking for the best approach on how to secure this.. The best option is #3. But to do this, you will need to build your database instance in the private subnet.

How?

Navigate to RDS > Subnet Groups. Create a DB Subnet Group. Select your VPC and the private subnet to use.