top of page

Enhance RDS Security with VPC

Updated: Aug 6, 2023

Amazon RDS is a web service that offers a simple way to set up, manage, and scale a relational database in the AWS environment.

The service provides a cost-effective and resizable capacity for an industry-standard relational database. Besides, Amazon RDS is a managed service that handles everyday database administration tasks, allowing developers to focus on designing applications.

Amazon RDS supports various popular database engines, including Maria DB, MySQL, Microsoft SQL Server, Oracle, Aurora, and PostgreSQL.

AWS VPC is an isolated virtual network that users define and control. It offers enhanced security and control over your networking environment. VPC users can choose their IP address range, create unique access control lists, and configure routing.

With Amazon VPC, you can launch various AWS resources such as Amazon RDS into a virtual network that you have customized. In most cases, a VPC resembles a traditional network that you operate in your local datacenter.

The Benefits of Creating Amazon RDS in VPC

In essence, Amazon isolates VPCs from other virtual networks in the AWS cloud. The service provides subnets that you can deploy to isolate resources inside the VPC.

Amazon VPC provides VPC security groups that act as a virtual firewall for your DB instance. Running Amazon RDS in VPC allows you to set controls for inbound and outbound traffic.

You can specify rules in VPC to filter traffic based on protocols and port numbers.

In the same manner, you can leverage VPC group rules to block suspicious traffic from cybercriminals With Amazon VPC, you can customize your network configuration to create a public-facing subnet for web servers that access the Internet.

Similarly, VPC lets you place critical backend systems, such as RDS and application servers, in private-facing subnets with no internet access.

Also, Amazon VPC offers network access control list as an optional security layer that controls inbound and outbound traffic in subnets.

You can set up network access control lists with rules similar to VPC security groups to enhance the security of the VPC hosting your RDS.

You can create sizeable classless inter-domain routing (CIDR) in VPC to allocate spare IP addresses for Amazon RDS. The extra IP addresses are essential in maintenance activities and failover.

RDS Security with PVC

Creating Amazon RDS in VPC is simple and requires less time to set up, manage, and validate. The process allows developers to set up their system environment and focus on building the applications that connect to RDS in VPCs.

To operate Amazon RDS in VPC, the VPC should have at least two subnets in different Availability Zones in an AWS Region of interest. These two subnets offer ranges of IP addresses that you can specify based on your business needs.

You can make your RDS instance accessible publicly by enabling two VPC attributes – DNS hostnames and DNS resolution and assign a public address to your instance.

You need to create a DB subnet group for the VPC. Amazon RDS requires the DB subnet group and a preferred availability zone to select an IP address and subnet for the DB instance.

You should also ensure that the VPC has a VPC security group that grants access to the DB instance. While setting Amazon RDS in VPC, it is vital to create large CIDR blocks in each subnet to accommodate spare IP addresses for your DB instance.

This approach provides alternative access for Amazon RDS during failover, maintenance, and compute scaling.

You can follow these steps to create Amazon RDS in VPC:

  1. You can use a default VPC in your AWS account. However, if you need to create a new VPC, you can create, access, and manage one using these options:

    1. AWS Management Console – AWS provides a web interface that you can use to access AWS resources such as VPCs .

    2. Command Line Interface (CLI) – AWS provides commands for different services, including Amazon VPC. Popular computing environments like Windows, Linux, and Mac support Amazon CLI.

    3. AWS Software Development Kits (SDK) – AWS provides a range of APIs that handles connection details allowing you to access and manage VPCs.

    4. Query API – you can use HTTPS requests to call low-level API actions to access your Amazon VPC directly.

  2. After creating a VPC, you need to add subnets in at least two AWS Availability Zones. You deploy the subnets for the DB subnet groups. In case you are using a default VPC, AWS automatically provides a subnet in each Availability Zone in the AWS Region.

  3. After creating subnets, you need to create a DB subnet group that you will designate the DB instances. A DB subnet group enables you to specify a particular VPC when creating DB instances.

  4. Next, you create a VPC security group before setting up a DB instance. You will associate the VPC security group with the DB instance.

  5. The final step entails setting up a DB instance in VPC. You use the VPC name, DB subnet group, and VPC security group created previously to set up the DB instance.

How to Connect from On-Premises

You can create a secure connection between an on-premise network and Amazon VPC. Database administrators and developers can leverage AWS PrivateLink to access Amazon RDS database instance in a private subnet in AWS VPC.

AWS PrivateLink offers a secure, private connection between AWS services, Amazon VPCs, and on-premise resources on the AWS network.

The service allows you to securely access services on AWS using a private network and powers connectivity to RDS through VPC endpoints (virtual devices). You can access endpoints on VPC services using the AWS Management Console.

You can also leverage the AWS Transit Gateway to connect on-premises networks and Amazon VPCs through a central hub. The connection simplifies the network and acts as a cloud router. You can create a default transit gateway route table on Amazon VPC console.

Direct Connect also gives you the ability to connect to AWS VPC from on-premise. You can establish a private connection between your local office, datacenter, or other environments and AWS VPC. Direct Connect reduces network costs, offers a consistent network experienced as compared to legacy internet-based connections, and improves bandwidth throughput.

65 views0 comments

Recent Posts

See All


bottom of page