Elastic Beanstalk (EB) is a Platform As A Service from AWS that allows you to easily deploy applications without having to worry about setting up the base infrastructure, such as HTTP servers, or load balancers. One of the benefits of EB is that is allows us to create a database on RDS when creating a new application, making the entire deployment of an application much easier.
RDS however does not provide a user interface to execute SQL against a created database (unless its been created as an Aurora Serverless Database), so how can we execute SQL commands against the database? If we were deploying our application to an EC2 instance, we could simply log onto the instance and connect directly to the database using a tool such as
mysql. We can’t do this with EB, however, but we can connect to the database from our local PC.
When creating the database from EB, we get the option of specifying whether we want the database to be publicly accessible. This is the first step to being able to connect to an RDS database. So, let’s try and connect and see what happens.
Browsing to the RDS console, we can see the connection details for all our RDS databases, for example:
On this screen, we can see the endpoint, so let’s try connecting from the MySQL Workbench client. (Don’t try connecting to my database – I’ve deleted it for security purposes so the endpoint in this article doesn’t exist anymore).
If we enter the endpoint and username and password in MySQL Workbench, we’ll see an error indicating that a connection could not be made to the database.
So why do we get this error? Well, when we created the EB application, AWS created a VPC and added some security groups that explicitly deny access from outside of the VPC.
From the RDS Console, we can see the
Security Group Rules and can see that we have both an Inbound and Outbound set of rules.
The outbound rule is set to allow all traffic to any address, however the inbound rule only allows inbound traffic from within the VPC.
We can change this by editing the Inbound Rules and adding a new rule, specifying the address we will allow inbound data to originate from.
source address can be any custom IP address, however, the option
My IP is available to explicitly only allow access from your current IP address.
Note, if you have a dynamic IP address, next time you connect to the internet your IP address may change and you won’t be allowed to access, but the user with your previous IP address will. Please be aware of this!
Once we’ve added a new rule, we can connect from MySQL workbench on our local PC and execute the required SQL against the database.
In this post, I’ve shown how you can connect to a RDS instance from a local application (MySQL Workbench in this example).
Please be careful when editing Security Groups in AWS, as you can lock yourself out of your system, or can easily allow access for potentially malicious users. For more information, please checkout the documentation at AWS.