Most Secure Way to Access RDS from outside AWS

Question

As far I have seen, the most secure way to access RDS is if your service (accessing the RDS database) is also running on AWS.

Another option is to control access with security by whitelisting the IP of services. However, services running on infrastructure like Heroku do not provide static IP (as far as I have seen) only IP ranges.

My situation is that I have a API service in Heroku that I would like to have access AWS RDS database. What is the best and most secure way to grant access to access the RDS database from Heroku (or another external service) since Heroku does not have static IP assigned to apps.

Here are solutions that I would not like to consider.

• Create a security group assigned to the RDS instance that allow all connections (0.0.0.0/0) then secure RDS with a password
• Move my API service into AWS

Answer 1

I'll recommend considering the use of QuotaGuard static IP addresses for Heroku.

QuotaGuard Static is a Heroku Static IP add-on that allows you to route inbound & outbound traffic through a static IP address. You can provide this static IP address to an API partner for an IP based allowlist and open your own firewall to access internal resources.

I'll use this plugin to make sure that all outbound traffic from my compute layer uses the static IP that could then be whitelisted against the security group of your RDS.

A more secure option that you may consider is setting up a private network space peering between your Heroku private space and your AWS VPC.