Connecting to AWS RDS Databases¶
Connect to Amazon RDS databases (MySQL, PostgreSQL, Aurora) through an EC2 bastion host using AWS Session Manager.
How It Works¶
- StormTunnel opens a Session Manager tunnel to an EC2 instance
- The EC2 instance forwards traffic to the RDS endpoint
- You connect to
localhostas if the database were local
Prerequisites¶
- EC2 bastion host in the same VPC as your RDS database
- Network access from the EC2 instance to the RDS endpoint
- AWS credentials configured with SSM permissions (see AWS Configuration)
- RDS endpoint from the RDS console
Creating an RDS Tunnel¶
Step 1: Get Your RDS Endpoint¶
- Open AWS Console -> RDS
- Select your database
- Copy the Endpoint (e.g.,
mydb.abc123xyz.us-east-1.rds.amazonaws.com) - Note the Port (MySQL: 3306, PostgreSQL: 5432)
Step 2: Create the Tunnel¶
- Click + in StormTunnel
- Select Tunnel Type: AWS Session Manager
- Configure:
| Field | Example |
|---|---|
| Name | Production MySQL |
| EC2 Instance ID | i-0abc123def456 |
| AWS Profile | production |
| AWS Region | us-east-1 |
| Local Port | 3306 |
| Remote Host | mydb.abc123xyz.us-east-1.rds.amazonaws.com |
| Target Port | 3306 |
- Click Save
Step 3: Connect¶
Toggle the tunnel On, then connect with your database client:
MySQL:
PostgreSQL:
Database-Specific Examples¶
MySQL / MariaDB¶
Connect via CLI or MySQL Workbench (127.0.0.1:3306).
PostgreSQL¶
Connect via CLI, TablePlus, DBeaver, or pgAdmin (localhost:5432).
Aurora MySQL¶
Remote Host: my-cluster.cluster-abc123.us-west-2.rds.amazonaws.com
Local Port: 3306
Target Port: 3306
Aurora Endpoints
Use the cluster endpoint for read-write or the reader endpoint for read-only queries.
Aurora PostgreSQL¶
Remote Host: aurora-pg.cluster-xyz789.us-east-1.rds.amazonaws.com
Local Port: 5432
Target Port: 5432
Multiple Database Connections¶
Use different local ports to tunnel to multiple databases at once:
| Database | Local Port | Remote Port |
|---|---|---|
| Production MySQL | 3306 | 3306 |
| Staging MySQL | 3307 | 3306 |
| Analytics PostgreSQL | 5432 | 5432 |
| Reporting PostgreSQL | 5433 | 5432 |
Security Best Practices¶
- Use IAM authentication for RDS when possible
- Limit SSM permissions to users who need database access
- Rotate database credentials regularly
- Use separate AWS profiles for production and non-production
- Close tunnels when not in use
Troubleshooting¶
See Troubleshooting for common errors including "Connection refused", "Access denied", "Host not found", and timeout issues.