How to create a SSH tunnel to RDS through EC2 which is accessed via an ALB?
I am relatively new to AWS so any help would be greatly appreciated!
The problem I am having is that I cannot establish a SSH tunnel to a RDS database through an EC2 instance because an ALB only allows HTTPS/HTTP, not SSH.
I have a public VPC which contains:
- A MySQL RDS instance in a private subnet
- EC2 instance in a private subnet(s)
- Application Load Balancer (ALB) in a public subnet
N.B. I setup the ALB and EC2 instance via Elastic Beanstalk
Is it possible to establish a SSH tunnel through the ALB or is there another route which is recommended, I have done some research and both SSM or a bastion host seem to be common?
The image below shows the details required in order to connect to the MySQL database over SSH:
It sounds like you want to use SSH Port Forwarding by connecting to the EC2 instance (via SSH) and then forward some ports via that instance to connect to the Amazon RDS database.
However, this will not work with an EC2 instance in a private subnet. You would need to launch an EC2 instance in a public subnet to be accessible from the Internet.
An alternate method would be to Use port forwarding in AWS Systems Manager Session Manager to connect to remote hosts | AWS Cloud Operations & Migrations Blog:
This uses the Systems Manager agent installed on the private EC2 instance to establish a connection with the AWS Systems Manager service. This allows you to connect to a private instance. It acts like SSH but it isn't actually using SSH.
As part of this connection you can specify port forwarding so that traffic can be sent across the Session Manager connection to the Amazon RDS database in the same VPC as the EC2 instance.
I think this method would suit your situation nicely. You would need to add some permissions to the IAM Role on the EC2 instance to allow Session Manager to operate.