Connect Amazon RDS with EC2 Like a Pro: Best Practices and Tips
Connecting Amazon EC2 and Amazon RDS is a common setup for AWS users, but ensuring a secure and optimized connection requires best practices. This guide will walk you through setting up a secure environment, optimizing data transfer costs, and implementing security measures. Whether you're just starting or refining your existing setup, these tips will help you achieve a more efficient and secure connection.
In this article, you will learn about:
- Prerequisites and best practices of EC2 and RDS connection
- Setting up the secure environment for EC2 and RDS
- Setting up the EC2 instance
- Creating and configuring the RDS Instance
- Testing the connection between EC2 and RDS
- FAQ
- Troubleshooting Common Issues
When customers start using AWS, they usually begin with Amazon EC2 as a virtual machine and need to find a good solution for their databases, and those usually select an RDS instance. The connection between these two services has some best practices and ways to do it and this article will describe both, so it can also be useful for those who already have the connection ready and aren’t sure if they are doing it in the best way possible.
Prerequisites and best practices of EC2 and RDS connection
Requirements
- AWS account
- High-level understanding of AWS Regions and Availability Zones and what they mean.
- High-level understanding of Amazon EC2, Amazon RDS, and AWS VPC (subnets etc.).
Recommendations and best practices for EC2 and RDS connection
Security with separate Security Groups: EC2 and RDS should always reside in different security groups, even when they are in the same subnet. You can at least take control of what ports and from where they are accessible. One good thing about security groups is that you can set a port and accessibility directly from only selected other security groups.
AWS region data transfer cost optimization: It’s kind of hard to understand AWS pricing for data transfer. But what I would make sure you understand in the case of EC2 and RDS is that if those services are in different Availability Zones, you will pay for the data transfer between them ($0.01 per every GB in/out, which means basically $0.02 per GB). Which, in the case of a simple database and virtual machine, can grow to TB per month and believe me, I’ve seen this for our customers. And yes, I know about high availability, that you should split services to different AZs, so they are highly available, but in a case of EC2s to one database, it doesn’t usually make sense to split them to different AZs, but it’s based on your use case and the number of EC2s and what is running on them.
- Select the correct region: Make sure you are in the right region close to the potential users of your application; migrating architectures that are created manually is possible, but is not an easy task.
Setting up the secure environment for EC2 and RDS
Security Groups:
EC2 security group: Configure the security group to allow inbound traffic only on necessary ports (e.g., port 22 for SSH or port 80 and 443) from trusted IP addresses or it can be public internet.
RDS security group: Set up the security group to permit inbound traffic on the database port (e.g., port 3306 for MySQL) exclusively from the EC2 security group or specific IP addresses that require access.
Data Encryption
- At rest: Enable encryption for your RDS and EC2 instances to protect stored data.
Regular Maintenance
Patches: Regularly update your EC2 instances and RDS databases to apply security patches and updates.
Backups: Establish automated backups and snapshots for your RDS and EC2 instances to ensure data recovery in case of failures.
How to connect Amazon RDS to EC2
Setting up the EC2 instance
You can start by setting the EC2 instance. I will use the most used instance type and operation system. However, this manual should be useful for all EC2 instance types and operation systems.
1. Move to the EC2 console in the correct region (eu-central-1 in our case).
2. Click on “Launch instance”.
3. The main part of this manual is to set the networking correctly. I’ll use instance type: T2.micro and Amazon Linux.
4. In the networking part of the launcher, click on the “Edit” button that will let you set advanced things for the networking of your EC2 instance.
5. Click on Create New Security Group.
6. Fill in the name of the security group.
7. And because this will be a web server, we will want to allow port 80,443 for all IP addresses and I will want to connect to the EC2 instance only from my IP address, so I can select “My-Ipadress” for the SSH port.
8. Check all the settings and launch the instance.
If you are having problems setting up the EC2 instance yourself, reach out to us for a quick consultation.
Contact usCreating and configuring the RDS Instance
Before launching the RDS instance, it’s better to wait till the EC2 instance is running and maybe try to connect to it via SSH or EC2 instance connect.
1. Go to the RDS console and click the “Create Database” button.
2. I’ll use a free-tier type of instance, such as the Mysql and t4g.micro.
3. I’ll use AWS Secrets Manager for password management.
4. The connection between the EC2 we created and the RDS we are creating has its special place; that’s why it’s good to have the EC2 instance before you create the RDS instance. Select the option to connect to the EC2 instance.
5. Select the correct EC2 instance that you want to connect to the RDS instance.
6. Check the option to change the Availability zone. This should automatically select the same Availability zone used for the EC2.
7. Select the “Create new” security group option.
8. You can check other settings, but for this simple manual, I’ll leave everything else on default. Click on “Create database”.
9. After the RDS instance is successfully created, check the connection part in its setup. You should see your instance there. Here, you can also connect more resources, if necessary.
Testing the connection between EC2 and RDS
Follow these steps to install the MySQL client and connect to an Amazon RDS MySQL instance.
Step 0: Connect to the EC2 instance
Connect to the EC2 instance that you created and connect to the RDS instance via SSH or EC2 instance connect.
Step 1: Add the MySQL Repository
Run the following command to add the MySQL repository:
sudo dnf install -y https://dev.mysql.com/get/mysql80-community-release-el9-1.noarch.rpm
Step 2: Import the GPG Key
Manually import the MySQL GPG key to avoid signature issues:
sudo rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2023
Step 3: Install MySQL Client
Now, install the MySQL client package:
sudo dnf install -y mysql-community-client
Step 4: Verify Installation
Check if MySQL is installed successfully:
mysql --version
Step 5: Connect to Your RDS MySQL Instance
Replace your-db-instance.xxxxxxxx.region.rds.amazonaws.com with your actual RDS endpoint, which you will find in the RDS console. If you are using also the AWS Secretes Manager for the password, you will find the password in the Secretes Manager console. Click on the secret that has RDS in its name, and there is an option to view the password.
Then use this code in the SSH console.
mysql -h your-db-instance.xxxxxxxx.region.rds.amazonaws.com -u your-username -p
Enter your password when prompted. If everything went correctly, you should be able to access RDS from EC2 without further issues.
FAQ
How do I connect Amazon RDS & EC2?
To connect Amazon RDS to an EC2 instance, ensure that:
1. Both EC2 and RDS are in the same VPC.
2. You build both EC2 and RDS in the same AWS region. As mentioned before, it’s also best to have them in the same AZ.
3. The RDS instance's security group allows inbound traffic from the EC2 instance’s security group.
4. The database port (e.g., 3306 for MySQL) is open in the RDS security group.
What is the best way to secure an RDS connection from EC2?
Set up security groups to allow only necessary traffic.
Enable encryption for data at rest.
Restrict database access to authorized EC2 instances.
Regularly rotate database credentials.
What are the costs of data transfer between EC2 and RDS?
If your EC2 instance and RDS instance are in the same Availability Zone (AZ), there is no data transfer cost. However, if they are in different AZs, AWS charges $0.01 per GB in each direction.
Does Amazon RDS run on EC2?
No, Amazon RDS does not run on EC2 instances. RDS is a managed database service that runs on AWS infrastructure but is separate from EC2.
Troubleshooting Common Issues
Issue 1: Cannot connect to RDS from EC2
Security Group Restrictions: Ensure the RDS security group allows inbound traffic from the EC2 instance security group.
Incorrect Database Endpoint: Verify that you are using the correct RDS endpoint from the AWS console.
Wrong Credentials: Double-check the database username and password.
VPC Configuration Issues: Confirm that both instances are within the same Region and VPC.
Issue 2: Connection Timeout or Latency Issues
- Instance Overload: Check EC2 and RDS performance metrics to see if resource constraints are causing the delay.
Conclusion
Establishing a secure and cost-effective connection between Amazon EC2 and RDS is essential for performance and reliability. By following best practices, such as separate security groups and optimizing data transfer costs, you can enhance security and reduce expenses. If you need further guidance, don't hesitate to reach out for expert consultation.
