Create the smallest EC2 instance available. Take note of the Virtual Private Cloud (VPC) network it is created in.
Configure the security group. This must allow connections from the outside internet to the bastion server. For example, you can look up your machine's IP address and allow SSH connections to this instance from it. In the example below, the developer's machine has an IP of
Just before you Launch the instance, you should ensure that you have access to the SSH key that is associated with it.
Your database instance may have previously had some other configuration, but now it should be Not Publicly Accessible.
However, now your instance is completely closed off. Add a security group which will allow all connections to the instance within the VPC as below. The VPC of the RDS instance should be the same as the VPC of the EC2 Bastion Server above.
Now your database instance is secured behind your private cloud network and your bastion server is accepting SSH connections.
Navigate to the EC2 Console and select your SSH instance from the list of instances.
You will have downloaded the
.pem file when you first created the instance. If you need to add a new key you can follow these instructions from AWS, or if you need to reset the key you will need to restart the server. The username will be
You can find our tutorial for accessing MySQL on AWS here. The key difference is that in this setup, the MySQL instance is closed to the world. You can check that your instance is configured correctly in the following ways.
First, check that it does not allow public connections, it is part of your default VPC, and it has security groups applied to it which would permit MySQL connections within the VPC.
Next, click through to the security group to ensure that it allows all IP addresses (within your private cloud) to connect on MySQL ports.
With these steps taken, your instance is ready to accept private connections. Take note of the hostname, the default user is
admin unless you created a new one, the default database is
mysql and the password would have been created for you when the instance was created. You can modify the instance and reset the password if you do not have access to it.
You can use a SQL client like Arctype to connect to your MySQL instance securely. Gather the credentials from the SSH bastion server and the RDS MySQL instance as shown above and enter them into the client. A successful connection looks like this:
Finally, Test Connection and Save—you're ready to write some queries!