I’m trying to setup AWS Client VPN to access my RDS through my SQL client without leaving my instance open to the public.
So far I’ve followed this guide https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html and I’m able to connect to the VPN using the openVPN command line tool on ubuntu. My connection shows up as active in the Client VPN Connections tab.
But I’m not able to connect to the actual RDS instance in my SQL client.
I’ve set the security group on RDS to allow connections from the VPN security group on port 3306.
I’ve also authorized all users with the Destination CIDR set to my VPC CIDR in Client VPN.
The RDS instance was originally created as ‘Publically Accessible’ if that matters.
Is there anything else I’m missing here?
EDIT
I resolved this, thanks for the responses!
Turns out I had to disable ‘Publically Accessible’ on the RDS instance, I guess this was preventing it from using the private ip.
Do you get a time out or a rejection? Did you create the client subnet routes in the route table? Is there a VPC endpoint for the RDS instance too? If you create an EC2 instance in the VPC do you have connection to RDS?
My guess is that it’s a routing issue - I’ve encountered this type of problem many times before when working with vpns.
Are you sure that the traffic from you client machine is actually being routed via the vpn (that includes the dns lookup). That would be problem number 1…
What I mean, is that when you client tries to connect to *****.us-east-1.rds.amazonaws.com it’s most likely going to lookup the public ip address and try to connect to it via the open internet. You need to ensure that it’s connecting via the private ip address within the vpn.
If you try and ping the address does it resolve to an address within the vpn or an address on the internet (or nothing).
Try using the private ip address - or force all traffic on your client machine (including dns lookup) to go via the openvpn connection. Not sure how to do that on ubuntu.
Hmmm, it’s probably because your requests are going to the public DNS/IP and not to the private DNS/IP of the RDS.
You can set up the AWS Client VPN to use the VPC DNS servers, this will allow you to resolve internal DNS (e.g.: EC2 private DNS, etc). The VPC DNS server is the third IP address of your VPC (e.g.: if your VPC is 10.0.0.0/16, the DNS server will be 10.0.0.2).
"When using AmazonProvidedDNS (or the Route 53 Resolver inbound endpoint) as the Client VPN DNS server:
The Amazon Relational Database Service (Amazon RDS) public hostnames and AWS service endpoint names that are accessible from the VPC interface endpoint (with “Private DNS” enabled) resolve to a private IP address.
Note: Be sure that “DNS Resolution” and “DNS Hostnames” are enabled for the associated VPC."
I was having the same issue on Redshift. Turned out i had to disable Publicly accessible option like you mentioned. Life Saver.
If it times out most likely the issue is security groups. Check the clients subnet is included, and the IP of the vpn server too.