ssh tunnel for RDS via bastion host
Our RDS db is hosted on Amazon. Our Bastion(Jumphost) can connect to the db. Connections to the db are not allowed outside of the internet.
Run ssh tunnel locally:
This creates a tunnel from my local machine to the Bastion:
ssh -N -L 3307:my-rds-db.us-east-1.rds.amazonaws.com:3306 ec2-my-bastion-server.compute-1.amazonaws.com
This will forward port
3307 from your local desktop to the remote MySQL rds server through your Public facing bastion EC2 instance.
You can easily set up this tunnel every time you log into your remote EC2 instance and log into it with whatever name you prefer:
Add this to .ssh/config:
Host my_instance Hostname bastion-ip Localforward 3307 my-rds-db.us-east-1.rds.amazonaws.com:3306
Connect to db using your favorite db interface.
An example using
$ mysql -uusername -h 127.0.0.1 -P 3307 -p
For more info
-L [bind_address:]port:host:hostport Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost'' indicates that the listening port be bound for local use only, while an empty address or `*' indicates that the port should be available from all interfaces.