We have mysql databases which we want to host on AWS RDS and want to use in Azure VM and web app. Both of them located in Singapore region.
Is this possible? If yes, How? What are pros and cons? And how to do this?
You have two options, build a Amazon VPC /Azure Network VPN tunnel by your own, with something like a cisco instance or linux vpn packages, or make your mysql amazon rds public accessible and set up ssl encrypt connection to the db for more information see this doc
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
Related
I see a lot of articles online where EC2 is involved, but since my backend is essentially serverless I have not found much information how to access my RDS once it is turned private. Can anyone point me in the right direction?
Current state:
Public MySQL RDS
RDS is accessed by a MySQL client on my local machine (MySQL Workbench) and AWS Lambda functions via my web application (both connecting via SSL)
Future state:
Private MySQL RDS
Private RDS would continue to be accessed by only my local machine and only the noted AWS Lambda functions via my web application (I assume continuing to use SSL?)
In your scenario your Lambda functions will need to be configured to run in the VPC if they are not already. That is the only change required for the Lambda functions.
However, When you switch the RDS instance to private, that means it only accepts connections from within the VPC. So you can't make connections directly from your local computer to the database anymore. You have to go through some sort of "bridge" to get your local computer into the AWS VPC network.
In this scenario people either use an EC2 instance as a bastion host, or they create a VPN connection from their local computer into the AWS VPC. AWS Client VPN is a managed service you could used for this.
You'll need to evaluate the Client VPN pricing, but I think you may find that a single t4g.nano EC2 bastion host is probably cheaper, and you can also stop the instance when you don't need it to really cut down the cost.
You can use VPC also with Lambda. Lambda and RDS can be in the same VPC, or in separate VPC’s peered together. Aws documentation for this scenario can be found here: https://aws.amazon.com/premiumsupport/knowledge-center/connect-lambda-to-an-rds-instance/
You can use Basti, which is a CLI tool that manages the EC2 bastion instance for you. The tool keeps the instance stopped when it's not used to minimize the solution cost, performs software updates to maintain the bastion instance secure, and provides a convenient CLI that can be used locally and in CI/CD pipelines.
I'd like to connect to my databases in GKE using GUI tools but I don't want to expose the services to the world. What are some ways to accomplish this?
Update: for instance, I'd like to use TablePlus to connect to a mysql pod inside the cluster.
Create a new VM in the region where your cluster lives.
Install the GUI tool.
Specify an IP address in the cluster's IP range.
See the example below, which describes how to connect to a database which is running on a GKE cluster.
https://cloud.google.com/composer/docs/access-airflow-database
I'm currently having issues setting up the AWS Explorer plugin in DataGrip to recognise the Aurora Serverless Clusters (MySQL). I have set up credentials from IAM in the credentials file, and can access other AWS services (if I select the dropdown "Schemas", for example, I can see the list of schemas in my org) but clicking the RDS dropdown shows "empty", and doesn't even show the list of database engines. I have tried connecting with secrets manager and using the correct secret for the DB cluster but no luck. When I try and add the database cluster as a data source, it just hangs on "Introspecting" and then the endpoint for that cluster.
I found this issue on the aws-toolkit for jetbrains github https://github.com/aws/aws-toolkit-jetbrains/issues/2124
which mentions that it could be a driver problem. I have tried changing to the mySQL driver, and that hasn't seemed to fix it. DataGrip also seems to heavily encourage using the recommended Aurora MySQL driver.
Is this a bug with DataGrip, or AWS Explorer, or am I missing something obvious? Do I need to enable SSL CAs to get AWS Explorer the correct permissions?
Thanks!
EDIT: I have gone through the prerequisites listed on the AWS docs:
I have installed the AWS CLI and AWS SAM CLI
I have installed Docker (but I haven't set up any containers - I think this is
only needed if I'm running localhost?)
I'm running Windows 10.
Aurora serverless can't be accessed from the internet. From docs:
You must create your Aurora Serverless DB cluster in an Amazon Virtual Private Cloud (Amazon VPC). Aurora Serverless DB clusters are accessible only from an Amazon VPC and can't use a public IP address.
Thus, you need to setup VPN or some proxy (e.g. ssh tunnel through a bastion host) to be able to connect to Aurora serverless from outside of AWS.
Can you install MySQL for AWS Elastic Cloud Compute (EC2) directly on the instance? I can't afford to purchase a separate RDS instance at the moment.
My website is setup on AWS EC2 already and now I'm going to try out some features with a database. I need to set up the instance to run on the EC2 localhost and connect it to my website to store my user data.
So first you need to separate XAMPP from mysql in your thought process. XAMPP is a tool only for your local development. You can set up a database on the Elastic Cloud Compute (EC2) instance similarly to how you set up your XAMPP config locally.
Here are the official docs on how to install a full LAMP stack on an EC2 instance running the Amazon Linux AMI - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-LAMP.html
I've just started working with AWS EC2 instances, and I want to migrate the MySQL DB on the EC2 to a RDS instance.
My question is about security, when I connect to my EC2 instance I use a security key (.pem) file to encrypt my connection from laptop to EC2. But when the EC2 connects to the RDS i believe it will be using port 3306 on the RDS and be unencrypted? Is this a security risk for my web application?
If this is a security risk what is the best practice for securely connecting the EC2 to the RDS?
Thanks!
https://aws.amazon.com/rds/faqs/
Can I encrypt connections between my application and my DB Instance using SSL?
Yes, however, this option is currently only supported for the MySQL, SQL Server, and PostgreSQL engines.
Amazon RDS generates an SSL certificate for each DB Instance. Once an encrypted connection is established, data transferred between the DB Instance and your application will be encrypted during transfer. If you require your data to be encrypted while “at rest” in the database, your application must manage the encryption and decryption of data. Also note that SSL support within Amazon RDS is for encrypting the connection between your application and your DB Instance; it should not be relied on for authenticating the DB Instance itself.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
You can setup rules in your security group to only allow connections to your rds instance from a pre-dfined list of ec2 ip's if you want (or any ips for that matter). AWS will reject any traffic trying to get to that RDS that is not in the list.