Connecting to Amazon RDS instance through EC2 instance using MySQL Workbench

mysql amazon-web-services ssh amazon-rds amazon-vpc
45,596

Solution 1

I've been struggling with something similar for weeks now. Just figured it out a few minutes ago.

  1. In mysql workbench, create a new server instance.
  2. For the remote host address, enter your endpoint address (i.e. xxxxxx.us-east-1.rds.amazonaws.com)
  3. For connection method, select "Standard TCP/IP over SSH"
  4. The SSH Hostname is the public DNS of your EC2 instance
  5. I specified ec2-user (I believe it varies by EC2 Instance type) as the username and then specified the downloaded key file corresponding to the key pair the instance was using.
  6. The mysql hostname is the endpoint of the RDS instance.
  7. The username is the username for the RDS instance (i.e. ebroot)

Using that I was able to connect. However, I did not utilize VPC in my setup. Hope this helps. Good luck!

Solution 2

Since you are using a VPC, this is how it should be configured in order to accept connections from your sub-net only:

  1. select VPC Security Group used by your db instance

  2. add a new rule to allow all ips from your private sub-net on port 3306

    ex: Rule INBOUND 3306 (MYSQL) 172.33.11.0/24

  3. use mysql workbench tcp/ssh and it will work (follow AndrewSmiley answer).

Solution 3

I recommend using SSH tunneling:

  1. Create putty session to the bastion host
  2. Under Connection --> SSH --> Tunnels, specify the Source port: 3306, Destination: yourRDSendpointname:3306
  3. Don't forget to click add!
  4. Connect to the bastion host with those settings
  5. Add a new connection in MySQL workbench and point it to your localhost port 3306 (assuming you aren't running anything on 3306 on your local client machine)
  6. Put in your username and password for your RDS instance

Solution 4

If you want to truly use the VPC connectivity of AWS and not allow public IPs do the following.

If you have one security group that both your EC2 and RDS are assigned to then add an inbound rule for mysql 3306 on TCP but in the source field do not put IP or subnet but the actual security group ID. ie sg-9829f3d2.

I personally have two security groups on VPC.

The first, security group 1 is in use by the EC2 instance and only allows the ports required for the EC2, ie 80 and 22.

The second, security group 2 is in use by just the RDS instance(s) and has one rule for allowing mysql (3302) and the source field is set to the id of security group 1.

All the Mysql workbench SSH tunnelling works with the two security groups as well.

Solution 5

You can create an SSH tunnel into your Bastion host (EC2 instance) to forward ports from your local machine to the remote RDS instance.

on mac/ linux this is the command (for windows follow instructions in the link below):

ssh -L 3306:myinstance.123456789012.us-east-1.rds.amazonaws.com:3306  your_c2_ip

then you can connect with workbench using the following settings:

  • connection method: standard TCP

  • hostname: localhost

  • port 3306

This post explains it the method in more detail; https://userify.com/blog/howto-connect-mysql-ec2-ssh-tunnel-rds/

Share:
45,596
iamyojimbo
Author by

iamyojimbo

Updated on December 26, 2020

Comments

  • iamyojimbo
    iamyojimbo over 3 years

    In AWS I have a VPC set up with a Bastion Host. The bastion host is a single EC2 instance with a public address trough which you can SSH to any other server on the VPC.

    I have created an RDS MySQL instance within the VPC and I would like to connect to it using MySQL workbench. I have followed the steps detailed here, however in "Step 6: Setting up remote SSH Configuration", it asks me to "Provide the Public DNS of the Amazon EC2 instance" (i.e. the bastion host).

    MySQL workbench then does checks for certain MySQL resources on that server. However, this is not correct in my opinion as I have provided the bastion host's address, which does not have MySQL installed. As a result, the last two checks for "Check location of start/stop commands" and "Check MySQL configuration file" then fail.

    I have then tried using the endpoint address of the RDS MySQL instance but with no success (as it is in the private subnet so is not publicly addressable).

    It seems that many people have this up and running, but what am I doing wrong here?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unable to connect to RDS instance from outside VPC (ERROR 2003 (HY000) Can't connect to MySQL Server)
Connecting to an RDS from an EC2 on the same VPC
Amazon RDS unable to execute SET GLOBAL command
AWS RDS Writer Endpoint vs Reader Endpoint
AWS MySQL connection frequently times out
ERROR 2003 (HY000): Can't connect to MySQL server on AWS RDS
Connect to RDS MySQL instance from ec2 Linux AMI - mysql command not found
MySQL: How long are binlogs retained?
Remote Server can't access RDS Database
Can't create a new user with all privileges on AWS RDS MySQL instance