<aside> ⚠️

By default, RDS requires all traffic to the instances to have SSL enabled. Make sure the DB connection from your apps has SSL required

</aside>

Step 4.1: Deploy the ****RDS bastion host to access the databases through port forwarding

• Create an IAM role for the bastion host, with the following policies:

  • Policies for Session Manager: AmazonSSMManagedInstanceCore

• Create a security group for the bastion host:

  • Inbound rule: default none
  • Outbound rule:
    • HTTPS (port 443) - Source: Everywhere IPv4 (0.0.0.0/0) → Port to use SSM
    • PostgreSQL (port 5432) - Source: Everywhere IPv4 (0.0.0.0/0) → Port to forward

• Create the EC2 access instance:

  • AMI & Architecture: Amazon Linux 2023 (should have SSM agent preinstalled) & 64-bit Arm (arm64)
  • Instance type: t4g.nano
  • Network settings:
    • VPC & Subnet: VPC and the Bastion subnet on step 2
    • Security group: the security group just created
  • EBS Storage: 10 GiB gp3
  • Advanced details:
    • IAM Instance profile: the IAM role just created

Step 4.2: Create the multi-AZ RDS database instances

• Create a RDS subnet group, that contains the two RDS subnets from step 2

  • Note down the CIDRs of the two subnets, as the RDS console doesn’t point out the subnet names

• Create a security group for RDS instances:

  • Inbound rule:
    • PostgreSQL (port 5432) - Source: The EKS cluster default security group (eks-cluster-sg-eks-demo-cluster)
    • PostgreSQL (port 5432) - Source: The RDS bastion host’s security group created in step 4.1
  • Outbound rule: default allow all traffic

• Create the RDS database instances (In this example, my architecture has two backend applications, each requiring its own database → 2 separate RDS instances):

  • Engine option: PostgreSQL
  • Template: Dev/Test (for demo purpose)
  • Availability and durability: Multi-AZ DB instance
  • Settings - Credentials management: Managed in AWS Secrets Manager
  • Instance class: db.t4g.micro
  • Storage: gp3 - 20GB
  • Connectivity:
    • Don’t connect to EC2
    • VPC: from step 2
    • DB subnet group: just created above
    • Public access: No
    • Security group: just created above
  • Monitoring: Turn off DevOps Guru & Enhanced Monitoring
  • Additional configuration:
    • Initial database name: (Up to preference, the application uses in this example require one)
    • Backup replication in another Region: Disable if not planning for multi-region disaster recovery

• From the local machine, start port forwarding using your bastion host:

  aws ssm start-session \\
  		--region us-east-1 \\
      --document-name AWS-StartPortForwardingSessionToRemoteHost \\
      --target <bastion_host_instance_id> \\
      --parameters host="<rds_instance_endpoint>",portNumber="5432",localPortNumber="5555"
  

  

  • Then test with the preferred tool, secret values can be retrieve from AWS Secrets Manager through console or CLI (In this example, I used pgAdmin on http://localhost:5555):