Skip to content

Connecting to AWS RDS Databases

Connect securely to Amazon RDS databases through EC2 bastion hosts using AWS Session Manager.

Overview

StormTunnel supports secure connections to AWS RDS databases (MySQL, PostgreSQL, Aurora, and more) through EC2 bastion hosts. This eliminates the need to expose your database to the public internet or manage SSH keys.

How It Works

Your Mac → EC2 Bastion Host → RDS Database
   ↑              ↑               ↑
Local Port    SSM Session    Private Endpoint
  1. StormTunnel creates a secure tunnel through an EC2 instance
  2. The EC2 instance forwards traffic to your RDS database
  3. You connect to localhost on your Mac as if the database were local

Prerequisites

Before connecting to RDS:

  1. EC2 Bastion Host - An EC2 instance in the same VPC as your RDS database
  2. Network Access - The EC2 instance must be able to reach the RDS endpoint
  3. AWS Credentials - Configured on your Mac with SSM permissions
  4. RDS Endpoint - Your database endpoint (from the RDS console)

Creating an RDS Tunnel

Step 1: Get Your RDS Endpoint

  1. Open the AWS Console → RDS
  2. Select your database
  3. Copy the Endpoint (e.g., mydb.abc123xyz.us-east-1.rds.amazonaws.com)
  4. Note the Port (MySQL: 3306, PostgreSQL: 5432)

Step 2: Create the Tunnel

  1. Click + in StormTunnel
  2. Select Tunnel Type: AWS Session Manager
  3. Configure:
Field Value Example
Name Descriptive name Production MySQL
EC2 Instance ID Your bastion host i-0abc123def456
AWS Profile Your AWS profile production
AWS Region RDS region us-east-1
Local Port Port on your Mac 3306
Remote Host RDS endpoint mydb.abc123xyz.us-east-1.rds.amazonaws.com
Target Port Database port 3306
  1. Click Save

Step 3: Connect

  1. Toggle the tunnel On
  2. Connect using your database client:

MySQL:

mysql -h 127.0.0.1 -P 3306 -u admin -p

PostgreSQL:

psql -h localhost -p 5432 -U postgres -d mydb

Database-Specific Examples

MySQL / MariaDB

Name: Production MySQL
Remote Host: myapp-db.abc123.us-east-1.rds.amazonaws.com
Local Port: 3306
Target Port: 3306

Connect with:

mysql -h 127.0.0.1 -P 3306 -u admin -p mydatabase

Or use MySQL Workbench:

  • Host: 127.0.0.1
  • Port: 3306
  • Username: Your RDS username

PostgreSQL

Name: Analytics PostgreSQL
Remote Host: analytics-db.xyz789.eu-west-1.rds.amazonaws.com
Local Port: 5432
Target Port: 5432

Connect with:

psql -h localhost -p 5432 -U postgres -d analytics

Or use TablePlus, DBeaver, or pgAdmin:

  • Host: localhost
  • Port: 5432

Aurora MySQL

Name: Aurora Cluster
Remote Host: my-cluster.cluster-abc123.us-west-2.rds.amazonaws.com
Local Port: 3306
Target Port: 3306

Aurora Endpoints

Use the cluster endpoint for read-write operations or the reader endpoint for read-only queries.

Aurora PostgreSQL

Name: Aurora PostgreSQL
Remote Host: aurora-pg.cluster-xyz789.us-east-1.rds.amazonaws.com
Local Port: 5432
Target Port: 5432

Multiple Database Connections

You can create multiple tunnels to access different databases simultaneously. Use different local ports to avoid conflicts:

Database Local Port Remote Port
Production MySQL 3306 3306
Staging MySQL 3307 3306
Analytics PostgreSQL 5432 5432
Reporting PostgreSQL 5433 5432

Troubleshooting

"Connection refused" Error

Cause: The tunnel isn't active or the RDS endpoint is incorrect.

Solution:

  1. Verify the tunnel is toggled On (green indicator)
  2. Check the RDS endpoint is correct (copy from AWS Console)
  3. Confirm the port matches your database type

"Access denied" Error

Cause: Database credentials are incorrect or IAM permissions are missing.

Solution:

  1. Verify your database username and password
  2. Ask your DBA to confirm your user has access from the bastion host IP
  3. Check RDS security group allows connections from the EC2 instance

"Host not found" Error

Cause: The EC2 instance cannot reach the RDS endpoint.

Solution:

  1. Verify the EC2 instance is in the same VPC as RDS
  2. Check security groups allow traffic on the database port
  3. Confirm VPC routing allows private subnet communication

Timeout Errors

Cause: Network connectivity issues or security group blocks.

Solution:

  1. Ask your AWS admin to verify:
    • RDS security group inbound rules
    • EC2 security group outbound rules
    • VPC routing tables
    • Network ACLs

Security Best Practices

  1. Use IAM Authentication when possible for RDS
  2. Limit bastion access - Only grant SSM permissions to users who need database access
  3. Rotate credentials regularly
  4. Use separate profiles for production and non-production environments
  5. Close tunnels when not in use

Need Help?

Related Topics: