All Diagrams
DatabasesSequence

Private RDS Access via EC2 Instance Connect Endpoint

RDSEC2 Instance Connect EndpointIAMVPC
Private RDS Access via EC2 Instance Connect Endpoint
Watch on AWS YouTube

Use Case

Securely connect to a private RDS instance from a local machine without a bastion host, jump server, or VPN — using EC2 Instance Connect Endpoint and SSH port forwarding.

Design Decisions

  • EC2 Instance Connect Endpoint eliminates the need for a bastion host
  • IAM permissions are validated at the endpoint before the tunnel is established
  • SSH port forwarding tunnels database traffic (e.g., port 5432) through the secure tunnel
  • No public IP is assigned to the RDS instance at any point

Trade-offs

  • Requires AWS CLI and proper IAM setup on the developer's local machine
  • Tunnel must be re-established on reconnect — not persistent like a VPN

© 2026 Kartikey Tripathi · kartikeytripathi.in