How to set-up a SSH tunnel for AWS RDS

ssh-tunnel.md

SSH Tunnel

Our db is hosted on Amazon. Our web server can connect to the db. Connections to the db are not allowed outside of the web server.

Run ssh tunnel locally:

This creates a tunnel from my local machine to the web server:

ssh -N -L 3307:my-rds-db.us-east-1.rds.amazonaws.com:3306 ec2-my-web-server.compute-1.amazonaws.com

-N -- Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).

Connect to db using your favorite db interface.

An example using mysql:

$ mysql -uusername -h 127.0.0.1 -P 3307 -p

From man ssh:

-L [bind_address:]port:host:hostport
 Specifies that the given port on the local (client) host is to be forwarded to the given 
 host and port on the remote side.  This works by allocating a socket to listen to port on 
 the local side, optionally bound to the specified bind_address.  Whenever a connection is 
 made to this port, the connection is forwarded over the secure channel, and a connection 
 is made to host port hostport from the remote machine.  Port forwardings can also be 
 specified in the configuration file.  IPv6 addresses can be specified by enclosing the 
 address in square brackets.  Only the superuser can forward privileged ports.  By default, 
 the local port is bound in accordance with the GatewayPorts setting.  However, an explicit 
 bind_address may be used to bind the connection to a specific address.  The bind_address of 
 ``localhost'' indicates that the listening port be bound for local use only, while an empty 
  address or `*' indicates that the port should be available from all interfaces.

You should add the username of the instance (ec2-user, Ubuntu, etc). E.x:
ssh -N -L 3307:myrdse.eu-west-1.rds.amazonaws.com:3306 [email protected]

I had to add ssh -i [ssh key file] ...

After this code:
ssh -N -L 3307:my-rds-db.us-east-1.rds.amazonaws.com:3306 ec2-my-web-server.compute-1.amazonaws.com -i ~/.ssh/freelensia_prod_deploy.pem
the terminal just shows a blinking cursor. Does that mean it is connected?

having the same issue as @Freelensia.

ssh -N -L 3307:my-rds-db.dfdfsdfsdf.eu-central-1.rds.amazonaws.com:3306 [email protected] -i ~/my-key.pem, I only get a blinking curson

@Freelensia, did you manage to solve this issue ?

@Fettah @Freelensia, you have to make sure the security group of the RDS database has an inbound rule set up with the IP address (or CIDR) of the bastion host. A simple test to figure this out is:

ssh to the bastion host normally (i.e. ssh -i "your.pem" your.ec2.host)
mysql -h your.rds.endpoint -u yourdbuser -p.

If it hangs, you have to fix that first with via security group mentioned above. If you can authenticate via MySQL CLI (on bastion), then your SSH commands and port forwarding ssh command will work just fine, and the command will no longer hang.

UPDATE: I had to not use the -N switch, as well.

This command worked for me
ssh -i "<your server pem key>" -4 -N -L "<random_port>":"<rds instance endpoint>":"<db port>" "<username>"@"<server ip>"
to connect from my local machine

This command worked for me ssh -i "<your server pem key>" -4 -N -L "<random_port>":"<rds instance endpoint>":"<db port>" "<username>"@"<server ip>" to connect from my local machine

in the last command, the username and server ip is an a ec2 ?

This command worked for me ssh -i "<your server pem key>" -4 -N -L "<random_port>":"<rds instance endpoint>":"<db port>" "<username>"@"<server ip>" to connect from my local machine

in the last command, the username and server ip is an a ec2 ?

Probably yes, not 100% sure as I had tried it long ago