AWS ZeroTier Bastion
Connect to a private RDS instance using SSH tunnel via a bastion EC2 instance, ZeroTier.
Scenario: You want to connect to an RDS database instance in your private VPC Solution: Set up a VPN to connect to the VPC Problem: VPNs are stupid expensive - $36 per user per month Solution 2 (cheap): Do it yourself 🆒
Step 1: Set up an EC2 instance
- Use the cheapest instance available to you (e.g. t2 nano). We don't need CPU or RAM for this.
- Make it public and within the correct VPC
- Connect it to the RDS instance you want: All done. Try SSH into the instance to make sure everything is working as expected.
Step 2: Set up SSH tunnel
Nothing needs to be set up on the EC2 instance itself. You just need to follow the instructions here:
https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/
Which just tells you to run the following command from your local machine:
ssh -i /path/key-pair_instance1.pem username_of_instance1@i-0123456789abcdefa -L 9090:ec2-123-12-123-2.compute-1.amazonaws.com:3306
- The key pair is the EC2 key pair you chose in the wizard
username_of_instance1@i-0123456789abcdefa
is the EC2 username and public host- Everything after -L:
- 9090 - the local port to assign
ec2-123-12-123-2.compute-1.amazonaws.com
- the host name of the destination machine (RDS instance endpoint)- 3306 - the destination port on the destination machine (5432 for Postgres)
Step 3: Connect from your machine
Use DBeaver/Sequel Pro/MySQL Workbench/whatever to connect to localhost:9090 with the RDS database credentials, and it will connect to the remote DB within the VPC.
Step 4: Improving security
A major issue with the above is you are making a single EC2 instance a security hole. If someone gets access to the EC2 instance, they have access to your VPC, which means they can get way more information than if they were outside of it.
The solution is to ensure that your EC2 instance is private but then you can't access it sad
Here comes ZeroTier https://www.zerotier.com/ to the rescue. ZeroTier is a lightweight, secure VPN with very simple configuration. The client machines just need access to the Internet, and you're good to go - no port forwarding, no static IP addresses, nothing. Very useful if you want to remotely LAN old games with your mates wink
We need to do the following:
- Set up a ZeroTier network for this project (gives you a 16-digit network ID)
- Set up ZeroTier on the bastion machine SSH into the EC2 instance and run
curl -s [https://install.zerotier.com](https://install.zerotier.com "https://install.zerotier.com/") | sudo bash
- Join the network on the bastion machine
sudo zerotier-cli join d5XXXXXXXXXXXX72
- Accept the join request on the ZeroTier management UI: Give it a description and note the assigned IP address. You will use this to connect in future.
- From your own machine, install the ZeroTier client and join the network in the same way.
- You can now remove the rule to connect to the EC2 instance from 0.0.0.0 on port 22.
Your EC2 instance can now no longer be accessed publicly, but you can if connected to ZeroTier. Just replace the public instance hostname with the ZeroTier IP address.
The cool thing here is even if someone gets your SSH key, they also need to be part of the ZeroTier network to access the instance.