1

To elaborate, I have an AWS EC2 instance running a SoftEther VPN server, an AWS RDS instance, and clients on the VPN.

What I need to be able to do is have my RDS instance(s) connect through the VPN to the clients and pull some subsets of our data. I've been looking around and it seems that I can have my RDS instance access information through a VPN; however, it looks like all the documentation is in regards to a hardware based VPN. I found very little in the AWS Docs about a software based VPN.

My biggest question is, is it possible to do this kind of configuration in AWS (using a software vpn instead of a hardware vpn). If so, can you provide some kind of documentation on how to do so?

Much appreciation in advance!

Austin Kregel
  • 111
  • 3
  • What do you mean by "have my RDS instance(s) connect through the VPN to the clients"? What does it mean. – ALex_hha Oct 17 '17 at 20:16
  • Our setup is a little weird, but we have our main database (the one that we want to move to RDS) using dblink to aggregate information about other databases (clients) so we can have everything on the main database. We can't remove the functions to connect and aggregate the data because it's supporting a legacy setup. We just had a big scare where the DB server went down and the most recent backup was more than a week old. – Austin Kregel Oct 17 '17 at 20:31
  • My best guess based on a little experience with AWS VPN is that if a VPN is set up, and the routing is set up correctly, all requests including those from RDS will use that VPN. What I'm not sure about is if RDS includes the features you need to connect to other databases. – Tim Oct 17 '17 at 20:56

1 Answers1

0

If you just want machines at the other end of the VPN to connect to RDS, you can do it -- you just need to NAT the connections to RDS to the IP address of the EC2 instance acting as the VPN endpoint, so RDS knows where to send the return packets.

However, if you want RDS to be actively soliciting to endpoints over the VPN, you're going to have a tricky time. You can't influence RDS to route over the VPN through your EC2 instance (VPC routing tables are terrible), so RDS won't be able to connect. You could fudge it with DNAT rules on the EC2 instance, though, if you were feeling adventurous, and just tell RDS to talk to the EC2 instance, and have it forward the traffic through the VPN.

BTW, if you haven't rummaged around in RDS yet, don't assume that you can do whatever you're trying to do. A lot of the more esoteric features of the various RDS-supported database engines aren't available in RDS, so you might not be able to do whatever it is that you want to do. You may have to jury-rig up something involving EC2 instances to pump data around.

(We don't "provide documentation" here, BTW; you're expected to know how to use a search engine)

womble
  • 95,029
  • 29
  • 173
  • 228
  • What about if it's an AWS VPN, with a customer and virtual private gateway - is that more likely to work easily? – Tim Oct 17 '17 at 23:37
  • Are thinking of Direct Connect? If so you will have more options due to BGP but you will not be able to setup your RDS to do outbound calling. Start looking at configuring your own MySQL (replace with your DB) on an EC2 instance. Then you can use a LAN-to-LAN setup with OpenSwan or Windows Server. – John Hanley Oct 17 '17 at 23:54
  • *"You can't influence RDS to route over the VPN through your EC2 instance (VPC routing tables are terrible)*" **This simply isn't correct.** I have a full-mesh of cross-region tunnels built from EC2 instances with OpenVPN and have no such problem with accessing RDS cross-region with native source and destination addresses, and no NAT whatsoever. With source/dest check disabled on the VPN instance, you create a route in the RDS subnet's routing table for the destination subnet pointing to the instance ID or ENI of the VPN instance... and it just works. – Michael - sqlbot Oct 18 '17 at 01:08