Direct access a database in a private subnet without SSH tunnel - amazon-web-services

I have a database set up (use RDS) in a private subnet, and a bastion is set up in front of it in a public subnet. The traditional way to access this database from local laptops is to set up an ssh tunnel on that bastion/jumpbox and map the database port to local. But this is not convenient to development because we need to set up that tunnel everytime before we want to connect. I am looking for a way to access this database without setting up an ssh tunnel first. I have seen a case where the local laptop directly uses that bastion's ip and its 3306 port to connect to the database behind. I have no idea how it is done.
BTW, in that case I saw, they don't use port forwarding because I didn't find any special rules in the bastion's iptable.

There are several ways to accomplish what you are trying to do, but without understanding the motivation fully it is hard to say which is the "Best Solution".
SSH Tunneling is the defacto standard of accessing a resource in a private subnet behind a public bastion host. I will agree that SSH Tunnels are not very convenient, fortunately, some ide's and many apps are available to make this as easy as a click of a button once configured.
Alternatively, you can set up a client to site VPN to your EC2 environment which would also provide access to the private subnet.
I would caution anything you do which proxies or exposes the DB cluster to the outside world in a naked way such as using IP tables, Nginx, etc. should be avoided. If your goal is this, then the correct solution is to just make the DB instance publicly exposed. But be aware any of these solutions which do not make use of tunneling in (such as VPN or SSH Tunnel) would be an auditory finding, and open your database to various attack vectors. To mitigate it would be recommended that your security groups should restrict port 3306 to the public IP's of your corporate network.

Related

connect local environment to CloudSQL with private IP

I have hosted my application in a CloudRun Container and connected it to CloudSQL.
Everything is in a VPC Network and is running smoothly. Now I would like to modify data in production from a Database tool like DataGrid. Therefore I need to connect my local environment to my VPC-Network. I did this through a Cloud VPN Tunnel. Now I would like to connect to the SQL instance.
Here I got stuck and I'm wondering how I can establish the connection.
It would be great if someone would know how I can solve this issue. Thanks!
My preferred solution is to use the public IP BUT without whitelisting any network. In fact, it's like if y ou have a public IP and all the connexion are forbidden.
The solution here is to use Cloud SQL proxy and to open a tunnel from your computer to the Cloud SQL database (that you reach on the public IP, but the tunnel is secured); It's exactly like a VPN connexion: a secure tunnel.
You can do this
Download Cloud SQL prowy
Launch it
./cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME>=tcp:3306
Connect your SQL client on localhost:3306
If the port 3306 is already in use, feel free to use another one
If you prefer the private IP only (sometime, it's security team requirement), I wrote an article on this.
If you use a VPN (and you are connected to Cloud VPN) take care to open the correct route and firewalls in both way (in and out)

how does bastion know which rds instance to connect to in AWS

I am trying to set up a bastion host in AWS in order to perform administrative options on an RDS instance in a private subnet. I am following the instructions from the official documentation (https://docs.aws.amazon.com/quickstart/latest/linux-bastion/step1.html), but there it is not clear how the bastion will know which RDS instance to connect to. How would I make sure that it can 'talk to' my intended RDS? (as far as I understand, the key pair is just something I can create anytime and enter to connect to the bastion itself, but not the RDS, or am I wrong?)
The documentation you linked uses an AWS CloudFormation stack to deploy the Bastion. I'm not sure exactly what configuration it is using, so my answer will be generic, rather than applying to this specific situation.
The normal configuration is:
A database in a private subnet
A Bastion server (EC2 instance) in a public subnet
A connection is made to the Bastion, which then allows an on-connection to the database
There are a number of ways of connecting to the database through the Bastion. Here's one that I use:
ssh -i key.pem ec2-user#BASTION-IP -L 3306:DATABASE-DNS-NAME:3306
This tells the SSH connection to forward any traffic sent to my local port 3306 (the first number), through the SSH connection, but then send it to DATABASE-DNS-NAME:3306 (the database server). Any response from the database will come back the same way.
Then, when I wish to refer to the database from my computer, I reference:
localhost:3306
It appears that the database is on my own computer, but the traffic is actually sent across SSH to the Bastion, then onto the database.
There are newer and better ways of doing this forwarding that other people might (hopefully) add as a comment or another answer, but this is the way I make my connections through a Bastion.
Fun fact: A Bastion is the bit of a castle wall that sticks out, allowing defenders to shoot arrows at attackers attempting to climb the wall. In a similar way, the Bastion Server sticks out into the Internet, beyond the protected part of the network.

How safe is to use public subnet?

I have a EC2 machine in public Subnet, In Security group I have only opened 22 port for my public static IP. How safe is it?
As per your comment
if i keep open security group for certain IPs, I am quite unsure
whether it is safe or not because there are multiple Hops b/w that IPs
and AWS IPs(packet data travels through it). am i correct ? and that
application can be accessible from that Hops?
It is absolutely safe to use the ssh port unless there is a vulnerability found in the future in the ssh protocol itself.
Firstly, you are restricting the access only from a static IP so no one else should be able to initiate the ssh session from any other machine.
Secondly, if you have protected your ssh private key and it is not shared then anyone else from the same static IP wouldn't be able to start an ssh connection.
Thirdly, ssh connection creates a secure encrypted data pipe between the client and servers, so even if someone tries to sniff the packets as it passes through different hops, it is hard to make any sense as all the data is encrypted.
Considering all of the above, in my opinion it is quite safe.

How does Bastion improve security of an EC2/EMR?

To connect to a remote machine, my public key needs to be added to its authorized_keys. By that logic, the public key for bastion would have an entry in authorized_keys of an EC2. Doesn't that mean if someone gets access to my bastion they will automatically have access to my EC2 provided they have the right host and user? How did Bastion then enhance the security of my EC2? Wouldn't it be equally difficult for a hacker to get his public key added to either the Bastion or EC2?
You are quite correct. It is not a good idea to store keys on a Bastion host.
The purpose of a Bastion is to be the part of your architecture that "sticks out" onto the Internet, with the other resources hidden behind the "wall".
In fact, the Bastion name refers to "a projecting part of a fortification built at an angle to the line of a wall, so as to allow defensive fire in several directions.".
Just as a castle has a defensive bastion, you should also be defensive with your bastion by not storing keys on it.
Instead, you can use Agent Forwarding. This allows you to SSH to the bastion, then use the same keypair to login to another computer without having to store the keypair on the bastion.
There's plenty of information online to explain Agent Forwarding, such as: How to use SSH properly and what is SSH Agent Forwarding - DEV Community

Multiple server applications, one public IP on Amazon EC2

I have a single Windows Amazon EC2 instance and one public IP. The instance is running multiple web server EXEs which all sit on port 80. I want to have different domain names which I want to point to each server. On my old dedicated server I achieved this simply by having different public IPs, but with Amazon EC2 I want to keep to just one public IP.
I am not using IIS, Apache, etc. otherwise life would be a lot simpler (I would simply bind hostnames accordingly). The web server executables perform unusual "utility" tasks as part of a range of other websites, but still need to be hosted on port 80. There is no configuration other than address to bind to and port #.
I have setup several private IPs and bound each server application to those private IPs. Is it possible to leverage some of the Amazon networking products to direct the traffic to the correct private IP? e.g. I have tried setting up a private-DNS using Amazon Route53, and internally at least this seems to point to the correct servers - but not (perhaps logically) when I try to access the site externally.
In absence of any other solutions I decided to solve this using the blunt hammer approach and use a reverse proxy. Downside is my servers now only see the user IPs as 127.0.0.1 which was less than ideal, but better than nothing at all.
For my reverse proxy I used Redbird (uses node.js) but Nginx may also be an option. Both are free / open source.