Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Scenarios for Accessing a DB Instance in a VPC

Amazon RDS supports the following scenarios for accessing a DB instance in a VPC:

A DB Instance in a VPC Accessed by an EC2 Instance in the Same VPC

A common use of an RDS instance in a VPC is to share data with an application server that is running in an EC2 instance in the same VPC. This is the user scenario created if you use AWS Elastic Beanstalk to create an EC2 instance and a DB instance in the same VPC.

The following diagram shows this scenario.


					VPC and EC2 security group Scenario

The simplest way to manage access between EC2 instances and DB instances in the same VPC is to do the following:

  • Create a VPC security group that your DB instances will be in. This security group can be used to restrict access to the DB instances. For example, you can create a custom rule for this security group that allows TCP access using the port you assigned to the DB instance when you created it and an IP address you will use to access the DB instance for development or other purposes.

  • Create a VPC security group that your EC2 instances (web servers and clients) will be in. This security group can, if needed, allow access to the EC2 instance from the Internet via the VPC's routing table. For example, you can set rules on this security group to allow TCP access to the EC2 instance over port 22.

  • Create custom rules in the security group for your DB instances that allow connections from the security group you created for your EC2 instances. This would allow any member of the security group to access the DB instances.

For a tutorial that shows you how to create a VPC with both public and private subnets for this scenario, see Tutorial: Create an Amazon VPC for Use with an Amazon RDS DB Instance.

To create a rule in a VPC security group that allows connections from another security group, do the following:

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc.

  2. In the navigation pane, choose Security Groups.

  3. Select or create a security group that you want to allow access to members of another security group. In the scenario above, this would be the security group you will use for your DB instances. Choose Add Rule.

  4. From Type, choose All ICMP. In the Source box, start typing the ID of the security group; this provides you with a list of security groups. Select the security group with members that you want to have access to the resources protected by this security group. In the scenario above, this would be the security group you will use for your EC2 instance.

  5. Repeat the steps for the TCP protocol by creating a rule with All TCP as the Type and your security group in the Source box. If you intend to use the UDP protocol, create a rule with All UDP as the Type and your security group in the Source box.

  6. Create a custom TCP rule that permits access via the port you used when you created your DB instance, such as port 3306 for MySQL. Enter your security group or an IP address you will use in the Source box.

  7. Choose Save when you are done.


					adding a security group to another security group's rules

A DB Instance in a VPC Accessed by an EC2 Instance in a Different VPC

When your DB instance is in a different VPC from the EC2 instance you are using to access it, there are several ways to access the DB instance. If the DB instance and EC2 instance are in different VPCs but in the same region, you can use VPC peering. If the DB instance and the EC2 instance are in different regions, you must use the public IP of the DB instance to access it.

The following diagram shows this scenario.


				A DB Instance in a VPC Accessed by an EC2 Instance in a Different VPC

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region. To learn more about VPC peering, see the VPC documentation.

Use the public IP of the DB instance when you need to connect to a DB instance that is in a different VPC and region from your EC2 instance. The DB instance must allow public access, must be in a public subnet, and the subnet must have an Internet gateway. Amazon RDS automatically creates a public subnet for your DB instance when you set the VPC option to Create new VPC and Publicly Accessible option to Yes when you create the DB instance.

You can communicate between an Amazon RDS DB instance that is in a VPC and an EC2 instance that is not in an Amazon VPC by using ClassicLink. When you use Classic Link, an application on the EC2 instance can connect to the DB instance by using the RDS endpoint for the DB instance. ClassicLink is available at no charge.

The following diagram shows this scenario.


					A DB Instance in a VPC Accessed by an EC2 Instance Not in a VPC

Using ClassicLink, you can connect an EC2 instance to a logically isolated database where you define the IP address range and control the access control lists (ACLs) to manage network traffic. You don't have to use public IP addresses or tunneling to communicate with the DB instance in the VPC. This arrangement provides you with higher throughput and lower latency connectivity for inter-instance communications.

Note

The DB instance must be in a private subnet that is not open to the public (that is, it cannot be set to publicly accessible).

To enable ClassicLink between a DB instance in a VPC and an EC2 instance not in a VPC

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc.

  2. In the navigation pane, choose Your VPCs.

  3. For VPC, choose the VPC used by the DB instance.

  4. For Actions menu, choose Enable ClassicLink. In the confirmation dialog box, choose Yes, Enable.

  5. On the EC2 console, select the EC2 instance you want to connect to the DB instance in the VPC.

  6. For Actions menu, choose ClassicLink, and then choose Link to VPC.

  7. On the Link to VPC page, choose the security group you want to use, and then choose Link to VPC.

A DB Instance in a VPC Accessed by a Client Application Through the Internet

To access a DB instance in a VPC from a client application through the internet, you configure a VPC with a single public subnet, and an Internet gateway to enable communication over the Internet.

The following diagram shows this scenario.


					A DB Instance in a VPC Accessed by a Client Application Through the Internet

We recommend the following configuration:

  • A VPC of size /16 (for example CIDR: 10.0.0.0/16). This size provides 65,536 private IP addresses.

  • A subnet of size /24 (for example CIDR: 10.0.0.0/24). This size provides 256 private IP addresses.

  • An Internet gateway which connects the VPC to the Internet and to other AWS products.

  • An instance with a private IP address in the subnet range (for example: 10.0.0.6), which enables the instance to communicate with other instances in the VPC, and an Elastic IP address (for example: 198.51.100.2), which enables the instance to be reached from the Internet.

  • A route table entry that enables instances in the subnet to communicate with other instances in the VPC, and a route table entry that enables instances in the subnet to communicate directly over the Internet.

For more information, see scenario 1 in the VPC documentation.

A DB Instance Not in a VPC Accessed by an EC2 Instance in a VPC

In the case where you have an EC2 instance in a VPC and an RDS DB instance not in a VPC, you can connect them over the public Internet.

The following diagram shows this scenario.


					A DB Instance not in a VPC Accessed by an EC2 Instance in a VPC

Note

ClassicLink, as described in A DB Instance in a VPC Accessed by an EC2 Instance Not in a VPC, is not available for this scenario.

To connect your DB instance and your EC2 instance over the public Internet, do the following:

  • Ensure that the EC2 instance is in a public subnet in the VPC.

  • Ensure that the RDS DB instance was marked as publicly accessible.

  • A note about network ACLs here. A network ACL is like a firewall for your entire subnet. Therefore, all instances in that subnet are subject to network ACL rules. By default, network ACLs allow all traffic and you generally don’t need to worry about them, unless you particularly want to add rules as an extra layer of security. A security group, on the other hand, is associated with individual instances, and you do need to worry about security group rules.

  • Add the necessary ingress rules to the DB security group for the RDS DB instance.

    An ingress rule specifies a network port and a CIDR/IP range. For example, you can add an ingress rule that allows port 3306 to connect to a MySQL RDS DB instance, and a CIDR/IP range of 203.0.113.25/32. For more information, see Authorizing Network Access to a DB Security Group from an IP Range.

Note

If you are interested in moving an existing DB instance into a VPC, you can use the AWS Management Console to do it easily. For more information. see Moving a DB Instance Not in a VPC into a VPC.

A DB Instance Not in a VPC Accessed by an EC2 Instance Not in a VPC

When neither your DB instance nor an application on an EC2 instance are in a VPC, you can access the DB instance by using its endpoint and port.

The following diagram shows this scenario.


					A DB Instance Not in a VPC Accessed by an EC2 Instance Not in a VPC

You must create a DB security group for the instance that permits access from the port you specified when creating the instance. For example, you could use a connection string similar to this connection string used with sqlplus to access an Oracle DB instance:

Copy
PROMPT>sqlplus 'mydbusr@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<endpoint>) (PORT=<port number>))(CONNECT_DATA=(SID=<database name>)))'

For more information, see the following documentation.

Note

If you are interested in moving an existing DB instance into a VPC, you can use the AWS Management Console to do it easily. For more information. see Moving a DB Instance Not in a VPC into a VPC.

A DB Instance Not in a VPC Accessed by a Client Application Through the Internet

New Amazon RDS customers can only create a DB instance in a VPC. However, you might need to connect to an existing Amazon RDS DB instance that is not in a VPC from a client application through the Internet.

The following diagram shows this scenario.


				A DB Instance not in a VPC Accessed by a Client Application via the Internet

In this scenario, you must ensure that the DB security group for the RDS DB instance includes the necessary ingress rules for your client application to connect. An ingress rule specifies a network port and a CIDR/IP range. For example, you can add an ingress rule that allows port 3306 to connect to a MySQL RDS DB instance, and a CIDR/IP range of 203.0.113.25/32. For more information, see Authorizing Network Access to a DB Security Group from an IP Range.

Caution

If you intend to access a DB instance behind a firewall, talk with your network administrator to determine the IP addresses you should use.

Note

If you are interested in moving an existing DB instance into a VPC, you can use the AWS Management Console to do it easily. For more information. see Moving a DB Instance Not in a VPC into a VPC.