I have setup a linux server in Amazon Ec2 with a mysql db in RDS.
Connect from mysql workbench to RDS is going fine with (TCP/IP) or (TCP/IP with SSH).
My question is, how to enforce all connections to RDS must going through linux server? I want to enforce this behaviour because it gives an extra layer of security.
Want to enforce this
Client -> EC2 Linux Server -> RDS
Want to stop this
Client -> RDS
My Ec2 Configuration
My RDS Configuration
untested
Try:
[client]
protocol=tcp
host=<ip address of DB server>
in your my.cnf file. Where the host can only be accessed via ssh.
After playing with it some time, I finally got the desired result by setting the security group id as parameter in the source connection setting. Thanks all.
Related
Is it possible to use Lambda(triggered by AWS IoT) to read/write to a MySQL server running on an EC2 instance? If so how would you do that? All info I see on internet seems to relate specifically to Amazon RDS rather than EC2 instances.
Thanks, Marcus
You need to connect the Lambda to the subnet where the MySQL server is running. See https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html.
Once that is done, you can connect to it using the server's private IP, as you normally would any MySQL server.
I've followed the tutorial here and set up a ProxySQL v2.0.2 service on an Ubuntu AWS EC2 instance.
One thing that troubles me is that the configurations of ProxySQL are gone after the EC2 instance restarts.
For example, before the EC2 instance restarted, SELECT * FROM mysql_servers; returns the backend databases I've added to ProxySQL. But after the EC2 restarted, SELECT * FROM mysql_servers; returns an empty set. And I must re-configure ProxySQL to allow the clients to connect to databases through ProxySQL.
How can I preserve the ProxySQL configurations after the EC2 instance restarts?
Why can't SAVE MYSQL VARIABLES TO DISK; command preserve the configurations?
I configure ProxySQL using the admin interface.
I've tried adding servers in mysql_users section of /etc/proxysql.cnf file. But it seems that it has no effect at all. This is strange.
According to this document, I should use SAVE MYSQL SERVERS TO DISK to save the mysql_servers configuration to the disk.
SAVE MYSQL VARIABLES TO DISK; is used to save other variables to the disk.
I'd like to connect to a mysql database on an AWS EC2 instance from another EC2 instance, but I don't want this mysql database to be accessible from other IP addresses. Changing the bind-address in my.conf to 0.0.0.0 allows everybody to access it, and I don't feel comfortable doing this.
What's the best approach on AWS to configure this in a secure way?
It is easy to do the above. Lets say EC2-1 is your instance and EC2-2 is your MYSQL instance with Security group 1 for EC2-1 and Security group 2 for EC2-2. Add below rule in your Security Group 2. So you can only connect to MYSQL running on EC2-2 from EC2-1 and no body else can connect.
Is it possible to use AWS' RDS MySQL solution in tandem with my current file server host? By that, I mean, can I connect to the RDS MySQL server as I am with my hosts current database?
I've tried the AWS documentation but it seems a bit flaky in this area.
Thank you,
Amazon RDS is a database server, just like any other. If you start up an RDS MySQL server, you can connect to it from anything else that can connect to a MySQL server.
The difference is that you do not have direct host access to the RDS server. Meaning, you cannot SSH into it and get a command prompt.
But you can connect to it from any MySQL client, including MySQL Workbench.
I have a database in an Amazon Web Services instance that I'm trying to connect to using MySQL Workbench. However, I don't know what the database server is, all I know is the Public DNS and Public IP of my instance. I already set a Security Group to allow me to access my MySQL database using an external client, but how do I know what my database server is in an AWS EC2 instance?
I reserve the right to be terribly wrong but
1) change my.conf (whatever your mysql conf file is called).
And set bind-address to 0.0.0.0 as it is prob 127.0.0.1
2) stop/restart mysql daemon
3) nothing wrong with long public address. I often use elastic ip addresses which are free (sort of)
If bind-address is not changed you are screwed as per remote. It is a security default upon install
OK guys, I ended up finding out the answer myself. In MySQL Workbench, the default Connection Method is Standard (TCP/IP). I had to change this setting to Standard TCP over SSH. That was the key. After I realized that, it was easy to fill in the input fields with the appropriate values and I was able to connect to the database server on the AWS EC2 Instance.