This demonstrates the connection options for initiating a private, secure connection into a VPC from a remote location.
Steps:
- Run
terraform applyto create all the AWS resources. - Install AWS Session Manager Plugin for AWS CLI
This will create the following infrastructure:
- A VPC with a public and private subnet.
- A Postgres RDS instance in the private subnet.
- An EC2 instance in the private subnet.
- An AppStream instance in the private subnet.
Note that NO resources are placed in the public subnet. Thus, nothing here is internet-accessible!
- Go to the AppStream console: https://us-east-1.console.aws.amazon.com/appstream2/home?region=us-east-1#/fleets
- Click "User Pool", and add a user.
- Associate that user with a stack.
- Check your email for temporary credentials and use them to log in.
- Once logged in, you can use the AppStream instance.
- You can see that the Postgres hostname is resolved, but the connection is refused.
Pros:
- No need to install anything on the client.
- Strict controls on copy/paste and file transfer.
Cons:
- Yet another auth layer/user management spot.
- Might need to roll our own images to get the software we want.
# SSH into the jump instance
./bin/jump.sh
# Once inside the jump instance, install Postgres and connect.
dnf install postgresql15
# Note: you will need to update the hostname here.
psql -h demo.cyaccbockaim.us-east-1.rds.amazonaws.com -U demo postgresPros:
- Direct IAM authentication.
- Sessions can be logged and audited.
Cons:
- No copy/paste protection.
- Can also be used to tunnel a connection, which could be considered a security risk.